Archive
Highlighted

Does Splunk Support ShA-256 or SHA -1?

Path Finder

Does Splunk Support ShA-256 or is it backwards compatible with SHA -1?

Tags (3)
0 Karma
Highlighted

Re: Does Splunk Support ShA-256 or SHA -1?

Legend

Support SHA-256/SHA-1 for what?

0 Karma
Highlighted

Re: Does Splunk Support ShA-256 or SHA -1?

Basically. Splunk index data is encrypted as SHA-256

audit.conf

EVENT HASHING: turn on SHA256 event hashing.

[eventHashing]
* This stanza turns on event hashing -- every event is SHA256 hashed.
* The indexer will encrypt all the signatures in a block.
* Follow this stanza name with any number of the following attribute/value pairs.
filters=mywhitelist,myblacklist...
* (Optional) Filter which events are hashed.
* Specify filtername values to apply to events.
* NOTE: The order of precedence is left to right. Two special filters are provided
by default:
blacklistall and whitelistall, use them to terminate the list of your filters. For example
if your list contains only whitelists, then terminating it with blacklistall will result in
signing of only events that match any of the whitelists. The default implicit filter list
terminator is whitelist
all.

====================================================================
In Version 6.0.2, you can set SHA-256 in authentication.conf for user password.

[authentication]
* Follow this stanza name with any number of the following attribute/value pairs.

authType = [Splunk|LDAP|Scripted]
* Specify which authentication system to use.
* Supported values: Splunk, LDAP, Scripted.
* Defaults to Splunk.

authSettings = ,,...
* Key to look up the specific configurations of chosen authentication system.
* is the name of a stanza header that specifies attributes for an LDAP strategy
or for scripted authentication. Those stanzas are defined below.
* For LDAP, specify the LDAP strategy name(s) here. If you want Splunk to query multiple LDAP servers,
enter a comma-separated list of all strategies. Each strategy must be defined in its own stanza. The order in
which you specify the strategy names will be the order Splunk uses to query their servers when looking for a user.
* For scripted authentication, should be a single stanza name.

passwordHashAlgorithm = [SHA512-crypt|SHA256-crypt|SHA512-crypt-|SHA256-crypt-|MD5-crypt]
* For the default "Splunk" authType, this controls how hashed passwords are stored in the $SPLUNK_HOME/etc/passwd file.
* "MD5-crypt" is an algorithm originally developed for FreeBSD in the early 1990's which became a widely used
standard among UNIX machines. It was also used by Splunk up through the 5.0.x releases. MD5-crypt runs the
salted password through a sequence of 1000 MD5 operations.
* "SHA256-crypt" and "SHA512-crypt" are newer versions that use 5000 rounds of the SHA256 or SHA512 hash
functions. This is slower than MD5-crypt and therefore more resistant to dictionary attacks. SHA512-crypt
is used for system passwords on many versions of Linux.
* These SHA-based algorithm can optionally be followed by a number of rounds to use. For example,
"SHA512-crypt-10000" will use twice as many rounds of hashing as the default implementation. The
number of rounds must be at least 1000.
* This setting only affects new password settings (either when a user is added or a user's password
is changed) Existing passwords will continue to work but retain their previous hashing algorithm.
* The default is "SHA512-crypt".