Deployment Architecture

Where are the limitations of IT block data signing?

Simon
Contributor

Hi all,

I'm currently evaluating the IT block data signing feature of splunk and have some questions about it:

  • How compares splunk the indexed data with the data on my source? Is there a back communication to my forwarder?
  • How can I test this features? I made a test by just changing some lines in the logfile, but splunk still tells me that there aren't any gaps.
  • What does splunk when my source log is already gone, maybe rolled by log4j?
  • Does IT data block signing also work with Windows Event Logs?

Hope anyone has some answers 😉

Thanks, Simon

Tags (1)
1 Solution

ftk
Motivator
  • Splunk does not compare the indexed data with your source with data block signing, there is no communication to the forwarder.
  • You can test this feature by 1) turning on data block signing 2) modifying the splunk database at the filesystem level 3) doing an integrity check -- the checksum should now be off.
  • Splunk will index your data as usual.
  • Yes -- it works with any data splunk can index.

IT data block signing basically takes a configured number of events (100 by default I believe, but 300-1000 might be better numbers to use depending on your volume) and then cryptographically signs the entire block of events. This signature is stored in a different index within splunk. Once you do a Show Source, splunk computes the hashes for the displayed data blocks and compares them to the stored values.

Is it technically a bit more secure than event hashing? Perhaps. Is it a bit more efficient than event hashing? A little. But there is no way to verify the integrity of the entire index if you use IT data block signing like there is with event hashing (| audit). In the end, with both of the hashing and signing methods, once an attacker gains access to your file system they can tamper with your events and technically hide their activity by just resigning/rehashing the events.

View solution in original post

ftk
Motivator
  • Splunk does not compare the indexed data with your source with data block signing, there is no communication to the forwarder.
  • You can test this feature by 1) turning on data block signing 2) modifying the splunk database at the filesystem level 3) doing an integrity check -- the checksum should now be off.
  • Splunk will index your data as usual.
  • Yes -- it works with any data splunk can index.

IT data block signing basically takes a configured number of events (100 by default I believe, but 300-1000 might be better numbers to use depending on your volume) and then cryptographically signs the entire block of events. This signature is stored in a different index within splunk. Once you do a Show Source, splunk computes the hashes for the displayed data blocks and compares them to the stored values.

Is it technically a bit more secure than event hashing? Perhaps. Is it a bit more efficient than event hashing? A little. But there is no way to verify the integrity of the entire index if you use IT data block signing like there is with event hashing (| audit). In the end, with both of the hashing and signing methods, once an attacker gains access to your file system they can tamper with your events and technically hide their activity by just resigning/rehashing the events.

Simon
Contributor

Thanks, ftk, this solves all my questions.

0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...