| CARVIEW |
Securing Splunk Enterprise
- Install Splunk Enterprise securely
- Create secure administrator credentials
- About TLS encryption and cipher suites
- Securing Splunk Enterprise with FIPS
- About default certificate authentication
- Harden the Splunk Enterprise installation directory on Windows
- Secure Splunk Enterprise on your network
- Disable unnecessary Splunk Enterprise components
- Secure Splunk Enterprise service accounts
- Deploy secure passwords across multiple servers
- Harden the network port that App Key Value Store uses
- Some best practices for your servers and operating system
- Password best practices for administrators
- Configure Splunk password policies
- Configure a Splunk Enterprise password policy using the Authentication.conf configuration file
- Password best practices for users
- Unlock a user account
- Change a user password
- Manage out-of-sync passwords in a search head cluster
- Use access control to secure Splunk data
- About user authentication
- About configuring role-based user access
- Define roles on the Splunk platform with capabilities
- Add and edit users
- Create and manage roles with Splunk Web
- Add and edit roles with authorize.conf
- Configure access to manager consoles and apps in Splunk Enterprise
- Find existing users and roles
- Delete all user accounts on Splunk Enterprise
- Secure access for Splunk knowledge objects
- Use network access control lists to protect your deployment
- Set up user authentication with LDAP
- Manage Splunk user roles with LDAP
- LDAP prerequisites and considerations
- Secure LDAP authentication with transport layer security (TLS) certificates
- How the Splunk platform works with multiple LDAP servers for authentication
- Configure LDAP with Splunk Web
- Map LDAP groups to Splunk roles in Splunk Web
- Configure LDAP using configuration files
- Map LDAP groups and users to Splunk roles using configuration files
- Test your LDAP configuration on Splunk Enterprise
- Change authentication schemes from native to LDAP on Splunk Enterprise
- Remove an LDAP user safely on Splunk Enterprise
- About multifactor authentication with Duo Security
- Configure Splunk Enterprise to use Duo Security multifactor authentication
- Configure Duo multifactor authentication for Splunk Enterprise in the configuration file
- About multifactor authentication with RSA Authentication Manager
- Configure RSA authentication from Splunk Web
- Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication via the REST endpoint
- Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication in the configuration file
- User experience when logging into a Splunk instance configured with RSA multifactor authentication
- Configure single sign-on with SAML
- Configure SSO with PingIdentity as your SAML identity provider
- Configure SSO with Okta as your identity provider
- Configure SSO with Microsoft Azure AD or AD FS as your Identity Provider
- Configure SSO with OneLogin as your identity provider
- Configure SSO with Optimal as your identity provider
- Configure SSO in Computer Associates (CA) SiteMinder
- Secure SSO with TLS certificates
- Configuring SAML in a search head cluster
- Configure Ping Identity with leaf or intermediate SSL certificate chains
- Configure SAML SSO for other IdPs
- Configure authentication extensions for SAML tokens
- Configure advanced settings for SSO
- Map groups on a SAML identity provider to Splunk roles
- Modify or remove role mappings
- Configure SAML SSO in the configuration files
- Best practices for using SAML as an authentication scheme for single-sign on
- Troubleshoot SAML SSO
- About securing inter-Splunk communication
- Configure secure communications between Splunk instances with updated cipher suite and message authentication code
- Securing distributed search heads and peers
- Secure deployment servers and clients using certificate authentication
- Secure Splunk Enterprise services with pass4SymmKey
- IT Essential Work - Failed to retrieve entity stat...
- How to disable typeahead
- How to restrict access to one certain index withou...
- How can I send Splunk visualization to Slack?
- New "role" cannot be added to any users due to "is...
- How do I authorize a user to use the REST API?
- Can I create an admin role that doesn't have acces...
- Recipe for "read-only" administrator role?
- I can't browser Splunk Apps , alarm "The splunkd d...
- Difference between ES Permissions page and Splunk ...
Add and edit roles with authorize.conf
You can add or modify roles by editing authorize.conf. Users are assigned to roles that determine their level of access and the tasks that they can perform. For more information about roles and capabilities, read About role-based user access.
Never edit or delete roles in $SPLUNK_HOME/etc/system/default/authorize.conf. This could break your admin capabilities. Instead edit the local version at $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/.
You must reload authentication or restart Splunk Enterprise after making changes to authorize.conf. Otherwise, your new roles will not appear in the Role list. See Refresh the authentication scheme in this topic for instructions to refresh authentication without restarting the Splunk platform.
For more information, see
- authorize.conf
- About configuration files in the Admin Manual.
Note: Distributed search configurations have slightly different authorization needs. When you use search head clustering, you must make sure that the search heads and the search peers all use the same set of authorize.conf file(s). To make sure your authorization is properly set up for search pooling, see How authorization works in distributed searches.
Add roles
Here's the syntax for adding roles through $SPLUNK_HOME/etc/system/local/authorize.conf:
[role_<roleName>] <setting> = <value> <setting> = <value> ...
The <roleName> in the stanza header is the name you want to give your role. For example: security, compliance, ninja.
Role names must use lowercase characters only. They cannot contain spaces, colons, semicolons, or forward slashes.
You can include these settings in the role stanza:
| Setting | Definition | Default | For more information |
|---|---|---|---|
<capability> = enabled
|
You can add any number of capabilities to a role. To add a capability to a role, just set that capability to "enabled". | disabled
|
See About defining roles with capabilities. |
importRoles = <role>;<role>;...
|
When set, the current role inherits the capabilities from <role>. Members assigned to multiple roles inherit properties from the role with the broadest permissions. If you enter multiple roles, separate them with semicolons.
|
No roles set. | See Role inheritance. |
srchFilter = <search_string>
|
This setting lets you define detailed data access controls. Users with this role will have their searches filtered by this expression. | No filters are set. | See Search filter format. |
srchTimeWin = <string>
|
The maximum time span in seconds allowed for a search executed by a user in this role. | Not set. Search times are not limited. | |
srchDiskQuota = <int>
|
The maximum amount of disk space (MB) that can be used by search jobs performed by a user assigned to this role. | 100 | |
cumulativeSrchJobsQuota = <number>
|
The maximum number of concurrently running historical searches that all members of this role can have. For this setting to apply, you must also set enable_cumulative_quota = true in limits.conf.When a user belongs to multiple roles, the user uses searches from the roles with the largest cumulative search quota first. When the quota for that role is completely used up, roles with lower quotas are used. |
Not set. | |
cumulativeRTSrchJobsQuota = <number>
|
The maximum number of concurrently running real-time searches that all members of this role can have. For this setting to apply, you must also set enable_cumulative_quota = true in limits.conf.If the user belongs to multiple roles, the user uses searches from the roles with the largest cumulative search quota first. When the quota for that role is completely used up, roles with lower quotas are used. |
Not set. | |
srchJobsQuota = <int>
|
The maximum number of concurrently running searches a member of this role can have. | 3 | |
rtSrchJobsQuota = <number>
|
The maximum number of concurrently running real-time searches a member of this role can have. | 6 | |
srchIndexesDefault = <string>
|
A semicolon-delimited list of default indexes to search when no index is specified. The list can include both event indexes and metric indexes. When the user runs an event search that does not specify an index, the search runs over the default event indexes. When the user runs a metrics search that does not specify an index, the search runs over the default metrics indexes. |
Not set. | |
srchIndexesAllowed = <string>
|
A semicolon-delimited list of indexes this role is allowed to search. The list can include both event and metrics indexes. You can wildcard your entries. However the wildcard '*' will not match internal indexes. To match internal indexes, start with '_'. All internal indexes are represented by '_*'. |
Not set. |
Search filter format
The srchFilter field can include any of the following search terms:
source=host=and host tagsindex=and index nameseventtype=and event type tagssourcetype=- search fields
- wildcards
- use
ORto use multiple terms, orANDto make searches more restrictive.
The search terms cannot include:
- saved searches
- time operators
- regular expressions
- any fields or modifiers Splunk Web can overwrite
Example of creating a role in authorize.conf
This example creates the role "ninja", which inherits capabilities from the default "user" role. ninja has almost the same capabilities as the default "power" role, except it cannot schedule searches. In addition:
- The search filter limits ninja to searching on
host=foo. - ninja is allowed to search all public indexes (those that do not start with underscore) and will search the indexes
mailandmainif no index is specified in the search. - ninja is allowed to run 8 search jobs and 8 real-time search jobs concurrently. (These counts are independent.)
- ninja is allowed to occupy up to 500MB total space on disk for all its jobs.
[role_ninja] rtsearch = enabled importRoles = user srchFilter = host=foo srchIndexesAllowed = * srchIndexesDefault = mail;main srchJobsQuota = 8 rtSrchJobsQuota = 8 srchDiskQuota = 500
Refresh the authentication scheme
After you make changes to authorize.conf, you must refresh the authentication scheme to have the changes take effect. You can do this with either Splunk Web or the CLI. Refreshing the authentication scheme doesn't log users off of the system.
A restart of the Splunk platform reloads authentication, but it also logs users off of the system, and there is no requirement to restart the platform to refresh authentication.
Refresh the authentication scheme using Splunk Web
- From the system bar, click Settings > Access controls > Authentication method.
- Click Reload authentication configuration. This refreshes the authentication caches but does not boot current users from the system.
Refresh the authentication scheme using the CLI
- On the Splunk platform instance where you want to reload authentication, open a shell prompt or PowerShell window.
- Switch to the
$SPLUNK_HOME/bindirectory. - Use the CLI command
./splunk reload auth:
./splunk reload auth
The authentication scheme cache resets immediately.
| Create and manage roles with Splunk Web | Configure access to manager consoles and apps in Splunk Enterprise |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14
Comments
Download manual
You must be logged into splunk.com in order to post comments. Log in now.
Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.
Your Comment Has Been Posted Above
Feedback submitted, thanks!