splunk enterprise securing splunk enterprise with … · install selinux and configure splunk ......

21
Splunk ® Enterprise Securing Splunk Enterprise with Common Criteria 6.4.5 Generated: 2/01/2017 9:22 am Copyright (c) 2017 Splunk Inc. All Rights Reserved

Upload: hadien

Post on 26-May-2018

263 views

Category:

Documents


3 download

TRANSCRIPT

Page 1: Splunk Enterprise Securing Splunk Enterprise with … · Install SELinux and configure Splunk ... functions that do not fall into the scope of ... Criteria efforts and keep documentation

Splunk® Enterprise Securing SplunkEnterprise with Common Criteria 6.4.5Generated: 2/01/2017 9:22 am

Copyright (c) 2017 Splunk Inc. All Rights Reserved

Page 2: Splunk Enterprise Securing Splunk Enterprise with … · Install SELinux and configure Splunk ... functions that do not fall into the scope of ... Criteria efforts and keep documentation

Table of ContentsInstall SELinux and configure Splunk...............................................................1

About Common Criteria for Splunk Enterprise............................................1Common Criteria Evaluation.......................................................................1Prerequisites...............................................................................................2About working with SELinux........................................................................3Install the Splunk .rpm and SELinux Policy .rpm for Splunk.......................4Configure Splunk Enterprise for Common Criteria......................................7

Modify Splunk in Common Criteria mode.......................................................17Add custom policies..................................................................................17Add ports and logs....................................................................................17Uninstall Splunk........................................................................................18

Troubleshooting.................................................................................................19Debug SELinux denials.............................................................................19Find errors.................................................................................................19

i

Page 3: Splunk Enterprise Securing Splunk Enterprise with … · Install SELinux and configure Splunk ... functions that do not fall into the scope of ... Criteria efforts and keep documentation

Install SELinux and configure Splunk

About Common Criteria for Splunk Enterprise

Common Criteria mode is supported for Splunk Enterprise as a single instanceon a single machine; it is not supported for distributed environments.

Splunk Enterprise supports Common Criteria on the following platform:

Red Hat Enterprise Linux Server release 6.5 (Santiago)• x86_64 architecture (tested on Intel(R) Xeon(R) CPU E3-1220 v3)• Security-Enhanced Linux (SELInux) with policy version 24.•

Splunk Enterprise provides a special SELinux splunk-selinux.rpm download thatis designed to work specifically with Splunk Enterprise in Common Criteria mode.This manual describes how to configure and work with Splunk Enterprise inCommon Criteria mode.:

How to install splunk-selinux.rpm for Splunk Enterprise Common Criteria.• How to configure a single instance of Splunk to run safely in CommonCriteria mode.

How to add custom policiesports, and logs to a running instance of SplunkEnterprise in Common Criteria mode.

Only the external ports, connections, and logs provided by the SElinux andSplunk Enterprise configuration detailed in this manual are supported.

Splunk Enterprise supports the Splunk splunk-selinux.rpm download, no otherversions are supported at this time.

This manual shows you how to perform specific Common Criteria for Splunktasks on the SELinux platform (using the provided .rpm). For more informationabout using SELinux with this manual, see About working with SELinux.

Common Criteria Evaluation

The Common Criteria mode was tested with a specific Federal InformationProcessing Standards (FIPS) 104-2 certified cryptographic module that comeswith Splunk. The use of other cryptographic engines was not evaluated nortested during the Common Criteria evaluation of the TOE.

1

Page 4: Splunk Enterprise Securing Splunk Enterprise with … · Install SELinux and configure Splunk ... functions that do not fall into the scope of ... Criteria efforts and keep documentation

There are several administrative functions that may be considered securityfunctions that do not fall into the scope of the evaluation. The following is a list ofspecific administrator security functions that were tested during the CommonCriteria evaluation:

Ability to enable/disable the transmission of any information describing thesystem's hardware, software, or configuration. Specifically, this is done byconfiguring email alerts about system activity that the TOE can send.

Ability to enable/disable the TOE's TLS mutual authenticationimplementation.

Ability to configure the supported TLS ciphersuites.• Ability to check the TOE version.•

Prerequisites

1. Red Hat Subscription Manager should be enabled and properly configured.You can install packages by running yum install <package>. Point to repositorylocations (internal/external) as needed.

2. SELinux should be in "Enforcing" mode, running targeted policy, and policyversion 24. Check the current status and configuration of SELinux. The systemneeds to be configured to boot with SELinux in Enforcing mode. To do thiseither:

Open the file /etc/selinux/config and make sure SELINUX= is set toSELINUX=enforcing.

Run getenforce and look for the resultenforced. If SELinux is not inEnforcing mode, run the command setenforce 1.

Open the grub configuration file /etc/grub.conf. Ensure there is nomention of selinux in this file. Some individuals will disable SELinux byadding the line selinux=disbled to the kernel arguments, this shouldnever be present.

3. Make sure GNOME keyring and Python system dependencies are installed:

yum install gnome-keyring-devel• yum install gnome-python2-gnomekeyring•

4. 2 x additional LUKS encrypted partitions should be available (for$SPLUNK_HOME and $SPLUNK_ETC). For instructions on setting up LUKSencryption, see:

https://gitlab.com/cryptsetup/cryptsetup•

2

Page 5: Splunk Enterprise Securing Splunk Enterprise with … · Install SELinux and configure Splunk ... functions that do not fall into the scope of ... Criteria efforts and keep documentation

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html•

5. Create a "splunk" user:

useradd splunk

If a "splunk" user already exists, make sure its home directory points to/home/splunk by checking /etc/passwd file. If not, modify the user to change itshome directory.

usermod -m -d /home/splunk splunk

About working with SELinux

Security-enhanced Linux (SELinux) is a Linux kernel security module thatprovides a mechanism for supporting access control security policies. Enablingand enforcing SELinux policies is one of the critical security enhancementsneeded to secure the underlying platform and and is mandatory for meetingCommon Criteria standards.

To facilitate your Common Criteria configuration, Splunk Enterprise provides aSELinux splunk-selinux.rpm designed specifically to install for SplunkEnterprise in Common Criteria mode.

Splunk Enterprise only supports the use of this specificsplunk-selinux.rpm for Common Criteria.

Splunk Enpterprise does not support SELinux for any other use withSplunk Enterprise.

This manual describes the process of installing the special Splunk Enterprisesplunk-selinux.rpm SELinux package and configuring Splunk in CommonCriteria mode on the SELinux platform.

This manual does not discuss SELinux itself in any depth.

Since SELinux is an open source platform, there is a wealth of informationavailable regarding what SELinux does and how to troubleshoot it. You might findit useful to familiarize yourself with SELinux before and during your CommonCriteria efforts and keep documentation handy for reference and troubleshooting.Here are just a few of the resources available for free on the internet that canhelp you work with and troubleshoot SELinux:

3

Page 6: Splunk Enterprise Securing Splunk Enterprise with … · Install SELinux and configure Splunk ... functions that do not fall into the scope of ... Criteria efforts and keep documentation

https://www.nsa.gov/research/selinux/• https://fedoraproject.org/wiki/SELinux• http://selinuxproject.org/page/Main_Page•

Install the Splunk .rpm and SELinux Policy .rpm forSplunk

Before you begin, ensure that you have met the prerequisites described in Aboutthis manual. Otherwise, the following steps may not work as expected.

To ensure your Splunk Enterprise configuration is Common Criteria-compliant,do not start Splunk Enterprise until you have performed all of the steps describedin this topic. Skipping any steps can lead to a non-Common Critera-complaintinstallation even if you perform these steps later.

Install Splunk Enterprise

1. Download and install Splunk-6.4.5 as 'root' user.

yum install splunk-6.4.5-b53a5c14bb5e-linux-2.6-x86_64.rpm

2. Move Splunk's configuration files from their default location to/etc/opt/splunk:

mv /opt/splunk/etc /etc/opt/splunkexport SPLUNK_ETC=/etc/opt/splunk

3. Common Criteria installation requires that the user to provide all neededcryptographic keys and certificates. At first-run, the specific key-pairs describedhere must be present. Splunk does not generate these keys.

You can use OpenSSl or any other tools to generate them.

Generate the keys and certificates, then place them in the described locations.(You may need to create audit and distServerKeys directories). Theprivate.pem file must be an encrypted private key that is protected through apassphrase.

ls /etc/opt/splunk/auth/distServerKeys/

4

Page 7: Splunk Enterprise Securing Splunk Enterprise with … · Install SELinux and configure Splunk ... functions that do not fall into the scope of ... Criteria efforts and keep documentation

private.pem trusted.pem

ls /etc/opt/splunk/auth/audit/private.pem public.pem

Install the Splunk SELinux .rpm file

1. Download splunk-selinux.rpm for Common Criteria. This .rpm file containsSELinux policies that let you configure and run Splunk Enterprise in CommonCriteria mode.

2. Install the file:

yum install splunk-selinux-<version>.rpm

Create Scripts for ease-of-use

Create the following scripts in /home/splunk to easily start and stop SplunkEnterprise:

run_dbus.sh

#!/bin/bash

OUTPUT=$( runcon -t splunk_dbusd_t -r system_r dbus-daemon --session--print-pid --print-address --fork )

echo $OUTPUT > /tmp/dbus-address

export DBUS_SESSION_BUS_ADDRESS=$(awk '{ print $1}' /tmp/dbus-address)export DBUS_SESSION_BUS_PID=$(awk '{ print $2}' /tmp/dbus-address)export PATH=/usr/bin:$PATH

echo $DBUS_SESSION_BUS_ADDRESSecho $DBUS_SESSION_BUS_PID

stop_dbus.sh

#!/bin/bash

export DBUS_SESSION_BUS_PID=$(awk '{ print $2}' /tmp/dbus-address)

kill $DBUS_SESSION_BUS_PID

5

Page 8: Splunk Enterprise Securing Splunk Enterprise with … · Install SELinux and configure Splunk ... functions that do not fall into the scope of ... Criteria efforts and keep documentation

run_splunk.sh

#!/bin/bash

export DBUS_SESSION_BUS_ADDRESS=$(awk '{ print $1}' /tmp/dbus-address)export DBUS_SESSION_BUS_PID=$(awk '{ print $2}' /tmp/dbus-address)export PATH=/usr/bin:$PATH

. /opt/splunk/bin/setSplunkEnvruncon -u system_u -t splunk_t -r system_r splunk start

stop_splunk.sh

#!/bin/bash

export DBUS_SESSION_BUS_ADDRESS=$(awk '{ print $1}' /tmp/dbus-address)export DBUS_SESSION_BUS_PID=$(awk '{ print $2}' /tmp/dbus-address)export PATH=/usr/bin:$PATH

. /opt/splunk/bin/setSplunkEnvruncon -t splunk_t -r system_r splunk stop

7. Run the following commands as root to ensure that the scripts have the correctSELinux file contexts:

chown splunk:splunk /home/splunk/*chcon -u system_u -r object_r -t initrc_exec_t /home/splunk/run_*chcon -u system_u -r object_r -t initrc_exec_t /home/splunk/stop_*chmod 755 /home/splunk/run_* /home/splunk/stop_*chcon -u system_u -r object_r -t splunk_usr_t /home/splunk

Updating Splunk

Under Common Criteria guidelines, certified products may be updated withpatches and still be considered Common Criteria certified configurations.

Splunk Enterprise automatically checks to see if an update is available andnotifies users via the login screen that there is an update available. Splunk doesnot download the update automatically.

1. Click the update URL in Splunk Web. You are redirected to the authorizedSplunk customer portal site.

6

Page 9: Splunk Enterprise Securing Splunk Enterprise with … · Install SELinux and configure Splunk ... functions that do not fall into the scope of ... Criteria efforts and keep documentation

2. Authenticate then manually download the .rpm package to the underlyingplatform.

3. Manually install the package as root using the platform's .rpm application.

The .rpm can also be used to show the current version of the TOE.

Splunk provides a public key that is installed to .rpm in the evaluatedconfiguration. You can then run rpm -K to verify the update against the installedpublic key prior to installation. See Install Splunk Securely in the SplunkEnterprise Installation Manual.

Configure Splunk Enterprise for Common Criteria

This topic assumes you have completed all of the installation tasks described inInstall the Splunk .rpm and SELinux Policy .rpm.

Set the splunk user

All the steps in this topic must be performed as the "splunk" user. This is theuserid under which your Splunk Enterprise application runs. If you create/modifyany files as root or any other user, the splunk user is unable to access SplunkEnterprise, causing unexpected behavior.

su - splunk export SPLUNK_HOME=/opt/splunkexport SPLUNK_ETC=/etc/opt/splunk

Generate/Obtain Common Criteria-compliant certificates

Splunk in Common Criteria mode does not generate any cryptographic keys orcertificates. Use OpenSSL or any other tool to generate self-signed certificates.These certificates must be FIPS-compliant. You can also get certificates issuedby CAs such as Verisign/GlobalSign. The certificates must be in PEM format.

NOTE: If you use the Splunk-generated default certificates, Splunk will not havenetwork communication. The CLI as well Splunk Web will be non-functional. Anyerrors will be logged in splunkd.log.

List of certificates/keys

Provide certificates/keys for Splunk Enterprise to work in Common Criteria mode.Some of these certificates (for example, inputs.conf) are optional, depending on

7

Page 10: Splunk Enterprise Securing Splunk Enterprise with … · Install SELinux and configure Splunk ... functions that do not fall into the scope of ... Criteria efforts and keep documentation

whether the functionality is required. The details of these attributes can be foundin /etc/opt/splunk/system/README/*.conf.spec.

<conf-file>, <stanza-name>, <attribute-name>

server.conf, [sslConfig], sslKeysFileserver.conf, [sslConfig], sslRootCAPathserver.conf, [kvstore], sslKeysPath

web.conf, [settings], privKeyPathweb.conf, [settings], caCertPath

#these should have been provided in the install step before installingsplunk-selinux.rpmaudit, [auditTrail], privateKeyaudit, [auditTrail], publicKeydistsearch, [tokenExchKeys], publicKeydistsearch, [tokenExchKeys], privateKey

#needed only if using splunktcp-ssl for getting input from forwardersinputs, [SSL], serverCert

#needed if this is a forwarder configurationoutputs, [tcpout], sslCertPath

#CRLs: must store CRL files under /etc/opt/splunk/auth/crl directory.Look at README in that directory.

Update Splunk Configuration Files with CommonCriteria-compliant Settings

Update or create the /etc/opt/splunk/system/local.conf files with thesesettings. The paths shown in these samples are for illustration and can bedifferent if desired.

server.conf

[general]requireBootPassphrase = trueallowRemoteLogin = never

[sslConfig]caPath = /etc/opt/splunk/auth/<cert_dir_path>

cipherSuite = AES128-SHA:AES128-SHA256:AES256-SHA256sendStrictTransportSecurityHeader = true

8

Page 11: Splunk Enterprise Securing Splunk Enterprise with … · Install SELinux and configure Splunk ... functions that do not fall into the scope of ... Criteria efforts and keep documentation

sslKeysfile = <filename_of_server_cert_with_encrypted_key>sslAltNameToCheck = <comma_separated_list_of_SANs>sslCommonNameList = <comma_separated_list_of_CNs>

# On RHEL 6.5, this will be typically'/etc/pki/tls/certs/ca-bundle.crt'.# For any additional CAs you want to trust, append them to this file.sslRootCAPath = <path_to_OS_root_cert_store>

sslVerifyServerCert = truesslVersions = tls1.2sslVersionsForClient = tls1.2

[kvstore]sslKeysPath = <absolute_path_to_kvstore_certificate>

web.conf

[settings]privKeyPath = <absolute_path_to_encrypted_private_key>caCertPath = <absolute_path_to_public_certificate>

enableSplunkWebSSL = 1sslVersions = tls1.2cipherSuite= AES128-SHA:AES128-SHA256:AES256-SHA256

authentication.conf

[secrets]disabled = false

alert_actions.conf

[email]use_tls = 1sslVersions = tls1.2sslVerifyServerCert = truesslCommonNameToCheck = <comma_separated_list_of_CNs>sslAltNameToCheck = <comma_separated_list_of_SANs>cipherSuite = AES128-SHA:AES128-SHA256:AES256-SHA256pdf.html_image_rendering = false

inputs.conf

#Use only if configuring Splunk as an Indexer, which can receive datafrom the Forwarders.[SSL]cipherSuite = AES128-SHA:AES128-SHA256:AES256-SHA256requireClientCert = truesslVersions = tls1.2

serverCert = <absolute_path_to_server_cert>sslAltNameToCheck = <comma_separated_list_of_SANs>

9

Page 12: Splunk Enterprise Securing Splunk Enterprise with … · Install SELinux and configure Splunk ... functions that do not fall into the scope of ... Criteria efforts and keep documentation

sslCommonNameToCheck = <comma_separated_list_of_CNs>

outputs.conf

#Use only if configuring Splunk as a Forwarder, which can send data toIndexers.[tcpout:<tcpout_group_id>]server = <host_port_for_indexer>useClientSSLCompression = truesslVerifyServerCert = truesslCipher = AES128-SHA:AES128-SHA256:AES256-SHA256sslVersions = tls1.2

sslCertPath = <absolute_path_to_client_cert>sslCommonNameToCheck = <comma_separated_list_of_CNs>sslAltNameToCheck = <comma_separated_list_of_SANs>

Enable Common Criteria mode for Splunk

Modify the /etc/opt/splunk/splunk-launch.conf

SPLUNK_COMMON_CRITERIA=1SPLUNK_FIPS=1

Create a seed user for Splunk

By default, Splunk creates a default user 'admin' with password 'changeme'. inCommon Criteria mode, you should create a different seed user, so that defaultcredentials can't be used. Update/etc/opt/splunk/system/local/user-seed.conf file.

[user_info]# preferably choose something different from 'admin'USERNAME = <username>

Simplify environment setup with .bashrc inclusion

Include these lines in the /home/splunk/.bashrc so that environment is setupproperly when using Splunk CLI.

export SPLUNK_ETC=/etc/opt/splunkexport DBUS_SESSION_BUS_ADDRESS=$(awk '{ print $1}' /tmp/dbus-address)export DBUS_SESSION_BUS_PID=$(awk '{ print $2}' /tmp/dbus-address)export PATH=/usr/bin:$PATH. /opt/splunk/bin/setSplunkEnv

10

Page 13: Splunk Enterprise Securing Splunk Enterprise with … · Install SELinux and configure Splunk ... functions that do not fall into the scope of ... Criteria efforts and keep documentation

Initialize Secret Storage

Before starting Splunk, start the dbus process. The dbus daemon is needed forcommunication with gnome keyring.

/home/splunk/run_dbus.sh

Check that the the dbus process is running with the splunk_dbusd_t SELinuxcontext

ps auxZ | grep dbus

You will see an output similar to:unconfined_u:system_r:splunk_dbusd_t:s0 splunk 28563 0.0 0.0 31680872 ? Ssl 14:36 0:00 dbus-daemon --session --print-pid--print-address --fork

Source .bashrc so that DBUS env. variables are set up.

source /home/splunk/.bashrc

Initialize secret storage password:

runcon -u system_u -t splunk_t -r system_r splunk secret-storage--unlock

To see list of keys available for secret storage:

runcon -u system_u -t splunk_t -r system_r splunk secret-storage --spec

Add secrets to Secret Storage

The command to add secrets to the gnome keyring is

runcon -u system_u -t splunk_t -r system_r splunk secret-storage --write--no-prompt <conf-file> <stanza-name> <attribute-name> <passphrase>

conf: configuration file (e.g. server.conf) stanza: name of stanza (e.g. sslConfig)key: name of attribute (e.g. sslKeysfilePassword) passphrase: passphrase to beused

11

Page 14: Splunk Enterprise Securing Splunk Enterprise with … · Install SELinux and configure Splunk ... functions that do not fall into the scope of ... Criteria efforts and keep documentation

List of Secrets

<conf-file>, <stanza-name>, <attribute-name>

alert_actions.conf, [email], auth_passwordserver.conf, [sslConfig], sslKeysfilePasswordserver.conf, [kvstore], sslKeysPassworduser-seed.conf, [user_info], PASSWORDaudit.conf, [auditTrail], privateKeyPassphraseweb.conf, [settings], privKeyPassworddistsearch.conf, [tokenExchKeys], privateKeyPassphraseinputs.conf, [SSL], passwordoutputs.conf, [tcpout], sslPassword

An example: [splunk@qa-cc-rhel65-03 ~]$ runcon -u system_u -t splunk_t -rsystem_r splunk secret-storage --write --no-prompt server sslConfigsslKeysfilePassword password

Start Splunk and validate your configuration

Start Splunk

/home/splunk/run_splunk.sh

Check that the Splunk is running with the splunk_t SELinux context

ps auxZ | grep splunk

To verify that Splunk Enterprise is in Common Criteria mode, check the/opt/splunk/var/log/splunk/splunkd.log. Look for the following message orsomething similar to indicate that Splunk Enterprise is running in common criteriamode:

ServerConfig - Splunk is starting in Common Criteria Mode.

Both splunkd and splunkweb should work normally in the Common Criteriamode.

NOTE: Ensure you have a valid Splunk Enterprise license installed. See Types ofSplunk Enterprise licenses.

12

Page 15: Splunk Enterprise Securing Splunk Enterprise with … · Install SELinux and configure Splunk ... functions that do not fall into the scope of ... Criteria efforts and keep documentation

Using Splunk Enterprise in Common Criteria Mode

Splunk CLI commands should be run as the splunk user and prefixed with theSELinux 'runcon' to set proper SELinux context:

runcon -u system_u -t splunk_t -r system_r splunk <cli_cmd>

To stop Splunk, use the provided stop_splunk.sh script:

/home/splunk/stop_splunk.sh

If you need to stop dbus, use the provided stop_dbus.sh script and run thefollowing commands:

/home/splunk/stop_dbus.shpkill gnome-keyringrm /tmp/dbus-address

Updating CRL Information

Splunk Enterprise expects to find the CRLs for revocation-checking under$SPLUNK_ETC/auth/crl directory in PEM format. We provide a simple script asan example of how this can be automated. Any other mechanism whichdownloads the CRL files under designated location should work as well. Theexample script expects the user to provide a list of URLs (one per line) which areCRLs for the certificates Splunk will be using.

An example file may look like:

$ cat crl.txthttp://pki.google.com/GIAG2.crlhttp://g.symcb.com/crls/gtglobal.crl

The bash script below will go through his crl.txt file, download the CRL files under$SPLUNK_ETC/auth/crl directory and converts it into PEM format if needed.

#!/bin/bash

# NOTE: Only applicable for Splunk version 6.4.x, while running inCommon Criteria mode.# This script is provided as an example for downloading the CRL files in

13

Page 16: Splunk Enterprise Securing Splunk Enterprise with … · Install SELinux and configure Splunk ... functions that do not fall into the scope of ... Criteria efforts and keep documentation

a location# Splunk expects it to be. Any other mechanism which updates CRL filesshould work.

# The user can run the script one time OR setup a cron job to run itperiodically (say every 30 min).# The script cleans out ALL existing CRL files (*.crl, *.pem) and thendownloads the new versions.

# Example invocation: /home/splunk/update_crl.sh /home/splunk/crl.txt/etc/opt/splunk/auth/crl

if [ "$#" -ne 2 ]; then echo "Usage: $0 <crllist_file_absolute_path><crl_download_location_absolute_path>" exit 1fi

PWD=`pwd`

filename=$1crl_dir=$2

if [ ! -f "$filename" ] || [ ! -d "$crl_dir" ] || [[ "$filename" != /*]] || [[ $crl_dir != /* ]]; then echo "Both the crllist_file and crl_download_location mustexist and be specified as absolute paths." exit 2fi

# go to $crl_dircd $crl_dir# remove older CRL files if presentrm -rf *.crl *.pem

while read -r line || [[ -n "$line" ]]; do url=$line wget $url if [ "$?" -ne 0 ]; then echo "Failed to download CRL file: $url" fidone < "$filename"

# For each file except README in this dir, check if the file is in DERformat.# If yes, then convert to PEM and remove the corresponding CRL file.for f in ./*do if [ $f != "./README" ];then # use openssl from the OS itself openssl crl -in $f -text -noout &> /dev/null if [ "$?" -ne 0 ]; then #DER format, must convert to

14

Page 17: Splunk Enterprise Securing Splunk Enterprise with … · Install SELinux and configure Splunk ... functions that do not fall into the scope of ... Criteria efforts and keep documentation

PEM openssl crl -inform der -in $f -out $f.pem if [ "$?" -ne 0 ]; then echo "Failed to convert DER format CRLfile ($f) into PEM format. Splunk will not use this CRL file" fi rm $f fi fidone

#revert to old pwdcd $PWD

Let's say, you have saved this script under /home/splunk/update_crl.sh. Set theappropriate SELinux context and file-permissions on this file.

chown splunk:splunk update_crl.sh crl.txtchcon -u system_u -r object_r -t initrc_exec_t update_crl.shchmod 755 update_crl.sh

One can easily setup a cron-job to execute this script periodically and updateCRL files which Splunk uses. As a 'splunk' user,

$ crontab -e

This opens a cron configuration file for 'splunk' user. Add this line to this file toupdate CRL info every 15 minutes.

*/15 * * * * /home/splunk/update_crl.sh /home/splunk/crl.txt/etc/opt/splunk/auth/crl &> /dev/null

This updates the CRL files. For loading this updated CRL info into Splunk, onecan simply run a search in the UI: | rest/services/server/security/crl/_reload

To automate, save this search as a saved search under 'admin' user. Simplestway is to update/etc/opt/splunk/users/admin/search/local/savedsearches.conf file.

[Reload CRL information]display.general.type = statisticsdisplay.page.search.tab = statisticsdisplay.visualizations.show = 0

15

Page 18: Splunk Enterprise Securing Splunk Enterprise with … · Install SELinux and configure Splunk ... functions that do not fall into the scope of ... Criteria efforts and keep documentation

request.ui_dispatch_app = searchrequest.ui_dispatch_view = searchenableSched = 1#update every minute (change if necessary)cron_schedule=* * * * *search = | rest /services/server/security/crl/_reload

You can check that CRL info is updating in Splunk Enterprise on a regular basisby enabling 'DEBUG' logging for 'X509' component. You should see a messagesimilar to this when CRL info is reloaded in splunkd.log:

09-08-2016 15:50:14.452 -0700 DEBUG X509 - Successfully added(/etc/opt/splunk/auth/crl/GIAG2.crl.pem) to the revocation store.09-08-2016 15:50:14.452 -0700 DEBUG X509 - Successfully added(/etc/opt/splunk/auth/crl/gtglobal.crl.pem) to the revocation store.09-08-2016 15:50:14.452 -0700 DEBUG X509 - Added 2 CRL files from theCRL directory(/etc/opt/splunk/auth/crl) to the revocation store.

16

Page 19: Splunk Enterprise Securing Splunk Enterprise with … · Install SELinux and configure Splunk ... functions that do not fall into the scope of ... Criteria efforts and keep documentation

Modify Splunk in Common Criteria mode

Add custom policies

To add custom rules to your configuration, create a new policy package for thoserules and then add them to Splunk Enterprise. Do not modify the existing Splunkpolicy package files.

To create and install a new policy package:

1. Temporarily set SELinux to "Permissive" mode:

setenforce 0

2. Create policy package files using sepolgen. This creates three files: *.fc, *.if,*.te:

package into .pp

3. Install the policy package:

semodule ?i *.pp

4. Check the audit log to ensure there are no relevant denials:

type=AVC

5. If there are any denials, convert them to allow rules for the Type Enforcementdefinition file (*.te), for example in grep denies ?/vr/log/audit/audit.log:

grep "denied" /var/log/audit/audit.log | audit2allow

6. Once there are no denial messages set SELinux back to "Enforced"

setenforce 1

7. Restart Splunk Enterprise:

service splunk restart

Add ports and logs

Use boolean toggles to add logs

SELinux provides options to toggle booleans. For example, to access /var/log inSplunk Enterprise while in Common Criteria mode, you can add it as a booleanthat can be toggled off or on by the user.

17

Page 20: Splunk Enterprise Securing Splunk Enterprise with … · Install SELinux and configure Splunk ... functions that do not fall into the scope of ... Criteria efforts and keep documentation

Allow network ports

Splunk Enterprise supports Splunk Web and management ports in our policy.You can add rules to allow custom ports such as TCP, UDP etc. For moreinformation, see Add custom policies.

Uninstall Splunk

Stop Splunk Enterprise the run the following commands as root:

yum remove splunk-selinuxmv /etc/opt/splunk /opt/splunk/etcyum remove splunk

18

Page 21: Splunk Enterprise Securing Splunk Enterprise with … · Install SELinux and configure Splunk ... functions that do not fall into the scope of ... Criteria efforts and keep documentation

Troubleshooting

Debug SELinux denials

In Splunk Enterprise for Common Criteria, denials are almost always the result ofintroducing a new policy:

1. Check the audit log to ensure there are no relevant denials:

type=AVC

2. If there are any denials, convert them to allow rules for the Type Enforcementdefinition file (*.te).

For example, grep denies ?/vr/log/audit/audit.log, you can convert to allow asfollows:

grep "denied" /var/log/audit/audit.log | audit2allow

Find errors

To troubleshoot problems with your Splunk Enterprise for Common Criteriaconfiguration, try the following:

Analyze audit.log for errors:•

audit2allow -r -R -t splunk_t -i audit.log -o splunk-selinux.analysis

Check for policy denials and reset policies to be allowed as necessary.See Debug SELinux denials.

For more information about troubleshooting SELinux, see the SELInuxproject site at http://selinuxproject.org.

19