“Security! Security! Security!”
Yes, the old proverb is still true – there is perhaps nothing that gets the heart racing quite like… announcing new security features in enterprise software! So fasten your seatbelt while I tell you about some of the exciting new features that made it in to Splunk 4.3.
All of these changes pertain to Splunk Web, which is the application server that you visit every time you point your browser at your friendly neighborhood search head, usually on port 8000.
Configurable Cipher Lists!
One of the biggest complaints that we get from customers usually stems from a ding received during a vulnerability scan or penetration test.
In these cases, customers report that Splunk Web supports weak ciphers, and ask how they can specify a valid cipher list such as they were able to do for splunkd via the cipherSuite setting in server.conf.
With Splunk 4.3, it is now possible to specify the list of ciphers that should be allowed in web.conf via the the cipherSuite parameter:
cipherSuite = <cipher suite string> * If set, uses the specified cipher string for the HTTP server. * If not set, uses the default cipher string provided by OpenSSL. This is used to ensure that the server does not accept connections using weak encryption protocols.
For example, to set Splunk Web to only use TLS version 1.0 cipher suites, set the following in web.conf and restart Splunk:
[settings] cipherSuite = TLSv1
Another common complaint from customers was that Splunk Web cookies were persistent. In other words, the cookies were set with a future expiration date, which meant that they would often persist even after the browser was closed.
This was a problem for some of us paranoid folks, as it meant that the Splunk Web session key was persisted on disk beyond the life of the browser session. Thus begat tools.sessions.restart_persist in web.conf:
tools.sessions.restart_persist = [True | False] * If set to False then the session cookie will be deleted from the browser when the browser quits * Defaults to True - Sessions persist across browser restarts (assuming the tools.sessions.timeout limit hasn't been reached)
For example, to set Splunk Web not to use persistent cookies, set the following in web.conf and restart Splunk:
[settings] tools.sessions.restart_persist = False
HttpOnly and Secure Cookie Flags!
Finally, we heard a lot from folks who wondered why we didn’t offer the ability to set two simple cookie flags in order to help mitigate risk from attacks on a few common vectors. These were the HttpOnly and Secure cookie flags, which are both now configurable via web.conf:
For these new settings, we have enabled them by default, so there shouldn’t be anything else you need to do other than to upgrade to 4.3.
Take a deep breath and try to get your heart rate down.