Splunk 4.3: shiny new security features

“Security!  Security!  Security!”

Fellow Splunkers,

Yes, the old proverb is still true – there is perhaps nothing that gets the heart racing quite like… announcing new security features in enterprise software!  So fasten your seatbelt while I tell you about some of the exciting new features that made it in to Splunk 4.3.


All of these changes pertain to Splunk Web, which is the application server that you visit every time you point your browser at your friendly neighborhood search head, usually on port 8000.

Configurable Cipher Lists!

One of the biggest complaints that we get from customers usually stems from a ding received during a vulnerability scan or penetration test.

In these cases, customers report that Splunk Web supports weak ciphers, and ask how they can specify a valid cipher list such as they were able to do for splunkd via the cipherSuite setting in server.conf.

With Splunk 4.3, it is now possible to specify the list of ciphers that should be allowed in web.conf via the the cipherSuite parameter:

cipherSuite = <cipher suite string>
   * If set, uses the specified cipher string for the HTTP server.
   * If not set, uses the default cipher string
     provided by OpenSSL.  This is used to ensure that the server does not
     accept connections using weak encryption protocols.

For example, to set Splunk Web to only use TLS version 1.0 cipher suites, set the following in web.conf and restart Splunk:

cipherSuite = TLSv1

Non-persistent Cookies!

Another common complaint from customers was that Splunk Web cookies were persistent.  In other words, the cookies were set with a future expiration date, which meant that they would often persist even after the browser was closed.

This was a problem for some of us paranoid folks, as it meant that the Splunk Web session key was persisted on disk beyond the life of the browser session.  Thus begat tools.sessions.restart_persist in web.conf:

tools.sessions.restart_persist = [True | False]
    * If set to False then the session cookie will be deleted from the browser
      when the browser quits
    * Defaults to True - Sessions persist across browser restarts
      (assuming the tools.sessions.timeout limit hasn't been reached)

For example, to set Splunk Web not to use persistent cookies, set the following in web.conf and restart Splunk:

tools.sessions.restart_persist = False

HttpOnly and Secure Cookie Flags!

Finally, we heard a lot from folks who wondered why we didn’t offer the ability to set two simple cookie flags in order to help mitigate risk from attacks on a few common vectors.  These were the HttpOnly and Secure cookie flags, which are both now configurable via web.conf:

tools.sessions.httponly = [True | False]
    * If set to True then the session cookie will be made unavailable
      to running javascript scripts, increasing session security
    * Defaults to True = [True | False]
    * If set to True and Splunkweb is configured to server requests using HTTPS
      (see the enableSplunkWebSSL setting) then the browser will only transmit
      the session cookie over HTTPS connections, increasing session security
      * Defaults to True

For these new settings, we have enabled them by default, so there shouldn’t be anything else you need to do other than to upgrade to 4.3.

/End Excitement

Take a deep breath and try to get your heart rate down.

Happy Splunking!  Feel free to drop us a line via support or answers if you have any additional features ideas or questions.

Alex Raitz

Posted by


Show All Tags
Show Less Tags