Module 3: User Authentication and Authorisation

Question 1

How is Splunk platform secured?

Answer 1

• Role based access - Valid user account with one or more roles is required to access Splunk
• Single sign-on – integrate with enterprise SSO solutions
• Auditability – audited events such as searches and conf file changes are indexed in _audit index

Question 2

What are the additional security measures of Splunk?

Answer 2

• Encrypted data flow – data is secured using SSL/TLS (can be disabled)
• Assurance of data integrity – data can be checked for tampering
• Authenticated cluster communication – data travelling between Splunk instances are secured through pass4symmkey

Question 3

What is FIPS mode?

Answer 3

FIPS mode (federal information processing standard – FIPS 140-2) – if enabled, Splunk automatically configures all security to comply with US federal government standards. You have to enable FIPS mode before starting Splunk for the first time.

Question 4

A Splunk __ultimately determines what a user can do and cannot do (privileges)

Answer 4

role

Question 5

Name some examples of capabilities

Answer 5

• Search – lets user perform searches
• Schedule_search – schedule saved searches, create alerts
• Edit_sourcetypes – lets user edit sourcetypes
• Rtsearch – perform real time searches
• License_edit – edit licenses
• Admin_all_objects – modify any object in the system

Question 6

Name the Splunk built in roles

Answer 6

• Admin – modify all Splunk objects
• Power – create and edit shared knowledge objects
• User – create and edit own knowledge objects
• Can_delete – delete events by keyword
• Splunk-system-role – special role of system processes

Question 7

You can use the ___command to see capabilities of a particular role

Answer 7

btool

Question 8

What are the two ways to create and edit a role?

Answer 8

• Splunk web

* Configuration file – authorize.comf

Question 9

Why create a custome role?

Answer 9

• Tweak default parameters
• Flexibility
• Index security
• Knowledge objects security

Question 10

How do you create a custom role using conf files?

Answer 10

• Authentication.conf = define authentication parameters such as LDAP settings
• authorize.conf = create new roles and edit capabilities of roles
• user-prefs.conf = specify the default app for a role, along with other UI specific parameters

Question 11

What are the four authentication mechanisms that are supported?

Answer 11

• native
o always on, cannot be disabled
o users can be added, edited and deleted from Splunk web
o users maintained in $SPLUNK_HOME/etc/passwd file
• External LDAP
o most common
o integrates AD
• SAML
o open standard used to assert security info via XML
• Scripted authentication – can use own authentication systems

Question 12

What do you need to know before creating an LDAP strategy?

Answer 12

• LDAP host and port number
• Bind credentials
• User base DN and group base DN
• Username and real-user-name attributes
• Group name and static member attributes

Question 13

What are some features of single sign-on?

Answer 13

• No need to type username/password
• No need to remember/renew passwords
• Faster login time means better user experience
• Avoids weak passwords

Question 14

___is required for Single sign on

Answer 14

SAML

Question 15

Why Multi factor authentication?

Answer 15

• Additional source of validation for improved security
• Meet compliance/audit requirements such as NIST and GDPR
• Prevention of security attacks such as DoS
• Reduce the risk of compromising passwords

Question 16

What are the supported multi-factor integrations?

Answer 16

• Duo security

* RSA security