Module 3: User Authentication and Authorisation Flashcards
How is Splunk platform secured?
- Role based access - Valid user account with one or more roles is required to access Splunk
- Single sign-on – integrate with enterprise SSO solutions
- Auditability – audited events such as searches and conf file changes are indexed in _audit index
What are the additional security measures of Splunk?
- Encrypted data flow – data is secured using SSL/TLS (can be disabled)
- Assurance of data integrity – data can be checked for tampering
- Authenticated cluster communication – data travelling between Splunk instances are secured through pass4symmkey
What is FIPS mode?
FIPS mode (federal information processing standard – FIPS 140-2) – if enabled, Splunk automatically configures all security to comply with US federal government standards. You have to enable FIPS mode before starting Splunk for the first time.
A Splunk __ultimately determines what a user can do and cannot do (privileges)
role
Name some examples of capabilities
- Search – lets user perform searches
- Schedule_search – schedule saved searches, create alerts
- Edit_sourcetypes – lets user edit sourcetypes
- Rtsearch – perform real time searches
- License_edit – edit licenses
- Admin_all_objects – modify any object in the system
Name the Splunk built in roles
- Admin – modify all Splunk objects
- Power – create and edit shared knowledge objects
- User – create and edit own knowledge objects
- Can_delete – delete events by keyword
- Splunk-system-role – special role of system processes
You can use the ___command to see capabilities of a particular role
btool
What are the two ways to create and edit a role?
- Splunk web
* Configuration file – authorize.comf
Why create a custome role?
- Tweak default parameters
- Flexibility
- Index security
- Knowledge objects security
How do you create a custom role using conf files?
- Authentication.conf = define authentication parameters such as LDAP settings
- authorize.conf = create new roles and edit capabilities of roles
- user-prefs.conf = specify the default app for a role, along with other UI specific parameters
What are the four authentication mechanisms that are supported?
• native
o always on, cannot be disabled
o users can be added, edited and deleted from Splunk web
o users maintained in $SPLUNK_HOME/etc/passwd file
• External LDAP
o most common
o integrates AD
• SAML
o open standard used to assert security info via XML
• Scripted authentication – can use own authentication systems
What do you need to know before creating an LDAP strategy?
- LDAP host and port number
- Bind credentials
- User base DN and group base DN
- Username and real-user-name attributes
- Group name and static member attributes
What are some features of single sign-on?
- No need to type username/password
- No need to remember/renew passwords
- Faster login time means better user experience
- Avoids weak passwords
___is required for Single sign on
SAML
Why Multi factor authentication?
- Additional source of validation for improved security
- Meet compliance/audit requirements such as NIST and GDPR
- Prevention of security attacks such as DoS
- Reduce the risk of compromising passwords
