SPLK-2002 Splunk Enterprise Certified Architect – Security Primer

1. Access Control

Hey everyone and welcome back. In today’s video we will be discussing about the access control in Splunk. Now, depending upon the use cases and the requirements you might have, the way in which you should be taking care of segregating the data or using access control will depend. So let’s take an example where you have an extremely sensitive data, where even having access to the system might involve legal risk. Now, for such type of use cases, it is recommended to use an isolated separate Splunk instance which is specific for relevant audiences. I still remember that in one of the organizations that I have been working with, it dealt with payments. So basically we had two Splunk instances. One was very isolated one and it had a different VPN altogether. And second was the Gentric one where a lot of people, including developers and various others had access to. So there were two Splunk instances and each Splunk instance required a different VPN connection altogether. So again, depending upon what type of requirement you might have, you will have to consider using a separate Splunk instance altogether. Now, when you have a sensitive data, not extremely sensitive data, then maybe you can restrict access based on index to the user.

We’ll be discussing more about this as well in the upcoming videos. Now, in Splunk, the basic user authentication happens with the help of users, groups and permissions. So Splunk Enterprise authentication allows us to create users. Now, once the users are created, we can attach those users to roles. Roles can be considered as groups as well and assign permission to those roles. So you have the users on the left hand side here. Now you have a role. Now, this role has two permission. It can be any permission that you might define and what you do is you attach the user to this specific role. So any user who is connected to this role will inherit the permissions which are connected to the role which the user is associated with. So let’s look into the practical aspect on how exactly this looks. So I’m in my Splunk page and if you go to settings, there is a field of access control altogether. So we can click here and basically there are four options. One is Authentication Method, one is Users, one is Roles and the last one is password policy Management.

Now, typically, whenever you create a user, now user can be stored locally within Splunk or it can be stored in a central location like LDAP, or it can even come from SAML. So depending upon what you might want to have, the authentication method would dictate that. So currently our authentication method does not have any external entity which is associated with it. So you do not have a LDAP, you do not have a sample. In case you have a LDAP within your organization, you can select LDAP and you can configure the LDAP accordingly. You even have options for the multifactor authentication based on dual security and RSS security in case you might want to have an MFA. Now again, it really depends upon the compliance and requirement that you might intend to do. I’ll give you one use case where in the compliance that we had, like it was a regional compliance, it required multifactor authentication before anyone connected to Splunk. So what we did was we had a separate VPN altogether for Splunk we had a multi factor authentication on VPN.

So the MFA was there on the VPN and then on Splunk we did not really have an MFA there. So again, it depends on the use cases that you might want to have. You can have an MFA for VPN, you can even have MFA for Splunk in case you want to go all out on the security aspect. So going back to the access control, let’s go to the users now. Now currently you see I only have one user. This is the admin user and if I click on admin user, this admin user is assigned to a role. So this is very similar to what we were discussing in the PPT where any user that you create, you assign that user to the role and role in turn has its own permission. So my admin user here is assigned to the admin role. Now again, there are a lot of default roles that you see which are present over here. Some of the roles it comes from the apps and add ons that you install, however, and some of them comes by default in Splunk. So this is what the users are all about.

Now the next thing is the roles. So let’s quickly go inside the roles. So you see there are a lot of roles which are available. Now again, certain roles like AWS admin, it does not come by default, it comes through the apps and add ons that we installed within the Splunk. So many of them like admin role can delete power user. All of these are the ones which comes by default in Splunk. Now, if you click on the admin role, let’s quickly open this up. Now this role has certain conditions which are associated with it, it has a certain inheritance and it also has certain capabilities. So if you look into the admin role it has a lot of capabilities that you will see over here. And if you go a bit down you can specify the indexes that it searches by default. Now, along with that, let’s do one thing, let’s open up roles again and we’ll open the user role this time. Now, if you compare the capabilities of the user role and the admin role, let’s see you have admin, all objects, AWS admin capability, change, authentication. There are a lot of capabilities that you have and for the user role you do not have much capabilities. Only the basic capabilities that a typical user might need are the ones that is present over here. So the last thing before we go ahead and create a user is the password policy management where you can define the password policy. So currently you see the minimum characters is eight.

You can even have much more complex password policy like if you want the password to have numeral, lower case, upper case, special characters and so on. You also have option for password expiration where users would have to change their password every 90 days and you also have lockout settings. So if someone tries to log into Splunk with failed password continuously, say for five times, then he will be locked out for the duration of 30 minutes. So all of these configuration parameters are part of the password policy management. Again, these are quite useful and you need to make sure that it complies according to the security policy that your organization might have. So with this let’s go to users and we’ll create a new user. So I’ll name this user as Zeld. Let’s skip the other aspects and let’s set a default password here and we need to assign it to a role. Now there are various roles which are present over here. If you want this user Zeal to be admin, you can select admin. However the default one is user. So I’ll just leave it for the time being so that we can see on how exactly the user role would typically look like. Because everything that we have been doing currently is through the admin role and hence we have all of the settings that you see because everything is the admin capabilities.

So let’s go ahead and we can do a save. Now, before we do a save, do remember that there is an option of required password change on first login, which basically means that first time and the user will log in, he’ll have to expect to change the password. So I’ll go ahead and I’ll do a save. So now I’m logged into Firefox private window, I’ll do a local host 8000 and let’s login with the user Z and the password which we have set. Now it says that for security reason the admin on this account has requested that you change your password. This is something that we have already seen. So let’s change our password this time and we’ll go ahead and we’ll do a save. Now this user Zeal, it has limited capabilities. So now if you go to settings now, you see you do not really have all of the configurations that you typically would have with the admin privileges. So the amount of capabilities that user role will be able to do is much more limited and much more basic. So that’s about the high level overview about the Splunk access control. Again, we’ll be discussing things in detail in the upcoming videos. But with this video I hope you understood the basics about three important factors that form the part of access control. One is users. Second is role and third is permissions. Permissions. Typically, they also refer as capabilities. So these are the three important elements which forms a strong access control. So with this, we’ll conclude this video. I hope this has been informative for you and I look forward to seeing you in the next video. Do.

2. Creating Custom Roles & Capabilities

Hey everyone and welcome back. So continuing your journey with the access control in Splunk. In today’s video we’ll be looking into some of the important aspects which you will typically find under the access control area as well as how we can create our own role. Now in the earlier video, if you remember we had created a user called Aseal and typically now if you look into the options which are associated with ZEEL, the authentication system here is plug, the default app here is launcher. The default app inherited from is plug, the role is user and the status is active. Now, if you quickly click on the user Zele, one important aspect that you will find here is the default app. Now this is quite important so let me quickly show you what exactly this means. Now if I quickly log in as Z in my Splunk instance, you will see that I am in the home page. So this is the home page. However, you can even tell Splunk that whenever a user logs in he should directly go to the search and reporting app.

So now whenever we go to homepage we then go to search and reporting app and then we start to search so that capability is done with the help of the default app settings. So let’s look into how exactly this would work. So from the launcher home I will say the default app here is search and reporting and I’ll click on Save. Once done what I’ll do, let’s verify it. I’ll do a log out here and let me re login, I’ll say Zeal and password and this time I’ll be redirected to the surgeon reporting app directly. So this becomes useful for a lot of time because many times you might have various apps like Splunk app for AWS. And what you want is that there are certain AWS administrators, they only might want to see the dashboards related to Splunk app for AWS. So you can directly do the default app as Splunk app for AWS. So whenever they log in they directly go into this app and they see the dashboard. So this is much more easier thing to do. So with this set let’s go ahead and we can create our own role and let’s see on how exactly it would look like. So I’ll go to new role.

So the first option that you will see over here is the role name. So let’s give a role name of custom role. Then comes the default app. We’ll just ignore this for the timing. The important part here, the first one is the restrict search term. Now typically what happens is that let me quickly show you this with an example. Let’s say I am logged in with a user called a Zeld and if I do index is equal to Asterisk and the preset would be all time you would typically see that I am getting information from various sources. You have access log, secure log, various other sources that I have and even if you have multiple hosts you can get information from multiple host. Now, in case you want to restrict that information you can put it over here. So I say source is equal to access log, let’s say source is equal to access log. Now what would happen is instead of all the sources he’ll be only be able to find the log events which are from a specific source. So this is what this restrict search term is all about.

Next important part is the restrict search time range. Now generally whenever you search you have a certain time presets today, last 24 hours, last 30 days, even previous years. So all of those say if you do from last 90 days and if the amount of events are used it will take huge amount of resources. So you can restrict the search time range from this specific option. Now the next option is user level search job limit and user level concurrent real time search job limit. So this is a concurrent search job limit and this is a concurrent real time search job limit. Now real time, whenever you do a real time it typically takes a huge amount of resources. So if you look into the presets there is a preset called all time real time. So it will typically show you the logs which are coming in in the real time fashion and that takes good amount of CPU. So this is the limit that basically you can put at the user level. So let’s say I have a user level searchoff limit of five and I have user level of concurrent real time limit as five year.

Now in respect to that you have one more configuration setting called role level concurrent searchov limit and role level concurrent real time search of limit. It is important to understand the difference here. So since we are creating a role and let’s say there are five users who are connected to the role, now five users will be able to have five individual search job limit and five individual real time search of limit. So instead of that you can combine all of them and say that any user who is part of the role can run maximum of ten concurrent search jobs and maximum of ten concurrent real time search job at a role level. So this is at the individual role level, I would say individual user level and this is at the individual or this is at the global role level. The next important part here is limit total job disk space. So typically whenever you run searches or whenever you run some complex job it would take a certain amount of disk space. So all of those configuration you can put over here. Now below this you have inheritance.

So let’s say what I want is I already have so let’s go to roles over here. Now, I have a role call as user which comes by default and it has certain capabilities. Now, what I want is along with these capabilities, I want to add one more capability call as admin underscore all underscore objects. So if you click over here it will be selected and it will be appearing under the selected capabilities. So you see admin underscore all underscore object. But as a best practice, it is recommended that you should not modify the pre built roles that are present. You can create your own custom role.

So in case you want all the capabilities of a user role, plus one more capability which is admin underscore all underscore object. Instead of modifying from here, what you can do is within the custom role, you can say it is inheriting from user. And there is one more capability that we want to assign which is admin underscore all underscore object or I say AWS underscore admin underscore capability. So this is the ideal way of doing things. Now the next part, you have the index searched by default. So whenever you do some kind of a wildcard search, what it will happen is it will only search on the selected index which is main. Now you can have a lot of index.

Now, if you do not explicitly specify index is equal to special underscore index, it will not search in other index, it will only search in the index call as main and you also have an option for restricting indexes. We’ll be discussing about that in the upcoming videos. But for the time being, this is something that we will be looking into. So once we have seen the basics, we can go ahead and we can click on Save perfect. So now that we have our role which is created, we can go ahead and we can create a new user. So I’ll click on new user, I’ll say the username is custom user. I quickly set the password. Now you can even set the time zone. If he is from say us, you can set the time zone for him and even he will have the capability to change the time zone according to what he intends to do. So, default app for, let’s say search and reporting. This is the default app now assigned to roles.

The default one is user. We do not want him to go to the user role because we had added one more capability. So we’ll just deselect it by clicking on it and we’ll click on the custom role and it automatically goes into the selected items and require password change on first login. I’ll just deselect it for now, just for a demo purposes. Once you click on Save, your custom user is created. So now let’s do one thing, let’s log out from the user Z and we’ll log in from the custom user. So as expected, we are directly into our search and reporting app.

Now, if you do index is equal to asterisk let’s say index is equal to asterisk if you do all time. Now, you see over here you are just limited to the source of access log. I hope you remember that we had explicitly restricted the search to access log and hence even though there are a lot of other logs which are present, or logs from other sources which are present, but the user is only able to search based on access log. So this is the high level overview about how you can create a custom role, add a new user to the custom role and we also looked into what exactly the default app option is all about. So with this we’ll conclude this video. I hope this has been informative for you and I look forward to see you in the next video.