Deployment Architecture

How to valite/remediate RC4 ciphers within Splunk?

a212830
Champion

Hi,

One of our Splunk servers was flagged for using RC4 ciphers. How can I validate and then disable this option within Splunk? We are using 6.5.4..

0 Karma
1 Solution

harsmarvania57
Ultra Champion

Hi @a212830,

If you run below command on splunk then it will display that RC4 is present in SSLv3 only.

$SPLUNK_HOME/bin/splunk cmd openssl ciphers -v | grep RC4

So based on that if SSLv3 is not require then you can disable SSLv3 in 3 different files.

  1. For management port (Default port 8089) -> server.conf , under [sslConfig] stanza you can define sslVersions = *, -ssl2, -ssl3
  2. For receiver port (Indexer, Default port 9997) -> inputs.conf, under [SSL] stanza you can define sslVersions = *, -ssl2, -ssl3
  3. For splunkweb port (Default port 8000) -> web.conf, under [settings] stanza you can define sslVersions = *, -ssl2, -ssl3

View solution in original post

harsmarvania57
Ultra Champion

Hi @a212830,

If you run below command on splunk then it will display that RC4 is present in SSLv3 only.

$SPLUNK_HOME/bin/splunk cmd openssl ciphers -v | grep RC4

So based on that if SSLv3 is not require then you can disable SSLv3 in 3 different files.

  1. For management port (Default port 8089) -> server.conf , under [sslConfig] stanza you can define sslVersions = *, -ssl2, -ssl3
  2. For receiver port (Indexer, Default port 9997) -> inputs.conf, under [SSL] stanza you can define sslVersions = *, -ssl2, -ssl3
  3. For splunkweb port (Default port 8000) -> web.conf, under [settings] stanza you can define sslVersions = *, -ssl2, -ssl3

sloshburch
Splunk Employee
Splunk Employee

@a212830 - Would you accept this answer if it helped?

0 Karma

a212830
Champion

Done.

Hi Burch!

0 Karma

a212830
Champion

Anyone?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...