Deployment Architecture

Where are the limitations of IT block data signing?

Simon
Contributor

Hi all,

I'm currently evaluating the IT block data signing feature of splunk and have some questions about it:

  • How compares splunk the indexed data with the data on my source? Is there a back communication to my forwarder?
  • How can I test this features? I made a test by just changing some lines in the logfile, but splunk still tells me that there aren't any gaps.
  • What does splunk when my source log is already gone, maybe rolled by log4j?
  • Does IT data block signing also work with Windows Event Logs?

Hope anyone has some answers 😉

Thanks, Simon

Tags (1)
1 Solution

ftk
Motivator
  • Splunk does not compare the indexed data with your source with data block signing, there is no communication to the forwarder.
  • You can test this feature by 1) turning on data block signing 2) modifying the splunk database at the filesystem level 3) doing an integrity check -- the checksum should now be off.
  • Splunk will index your data as usual.
  • Yes -- it works with any data splunk can index.

IT data block signing basically takes a configured number of events (100 by default I believe, but 300-1000 might be better numbers to use depending on your volume) and then cryptographically signs the entire block of events. This signature is stored in a different index within splunk. Once you do a Show Source, splunk computes the hashes for the displayed data blocks and compares them to the stored values.

Is it technically a bit more secure than event hashing? Perhaps. Is it a bit more efficient than event hashing? A little. But there is no way to verify the integrity of the entire index if you use IT data block signing like there is with event hashing (| audit). In the end, with both of the hashing and signing methods, once an attacker gains access to your file system they can tamper with your events and technically hide their activity by just resigning/rehashing the events.

View solution in original post

ftk
Motivator
  • Splunk does not compare the indexed data with your source with data block signing, there is no communication to the forwarder.
  • You can test this feature by 1) turning on data block signing 2) modifying the splunk database at the filesystem level 3) doing an integrity check -- the checksum should now be off.
  • Splunk will index your data as usual.
  • Yes -- it works with any data splunk can index.

IT data block signing basically takes a configured number of events (100 by default I believe, but 300-1000 might be better numbers to use depending on your volume) and then cryptographically signs the entire block of events. This signature is stored in a different index within splunk. Once you do a Show Source, splunk computes the hashes for the displayed data blocks and compares them to the stored values.

Is it technically a bit more secure than event hashing? Perhaps. Is it a bit more efficient than event hashing? A little. But there is no way to verify the integrity of the entire index if you use IT data block signing like there is with event hashing (| audit). In the end, with both of the hashing and signing methods, once an attacker gains access to your file system they can tamper with your events and technically hide their activity by just resigning/rehashing the events.

View solution in original post

Simon
Contributor

Thanks, ftk, this solves all my questions.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!