Hi all,
I'm currently evaluating the IT block data signing feature of splunk and have some questions about it:
Hope anyone has some answers 😉
Thanks, Simon
IT data block signing basically takes a configured number of events (100 by default I believe, but 300-1000 might be better numbers to use depending on your volume) and then cryptographically signs the entire block of events. This signature is stored in a different index within splunk. Once you do a Show Source, splunk computes the hashes for the displayed data blocks and compares them to the stored values.
Is it technically a bit more secure than event hashing? Perhaps. Is it a bit more efficient than event hashing? A little. But there is no way to verify the integrity of the entire index if you use IT data block signing like there is with event hashing (| audit
). In the end, with both of the hashing and signing methods, once an attacker gains access to your file system they can tamper with your events and technically hide their activity by just resigning/rehashing the events.
IT data block signing basically takes a configured number of events (100 by default I believe, but 300-1000 might be better numbers to use depending on your volume) and then cryptographically signs the entire block of events. This signature is stored in a different index within splunk. Once you do a Show Source, splunk computes the hashes for the displayed data blocks and compares them to the stored values.
Is it technically a bit more secure than event hashing? Perhaps. Is it a bit more efficient than event hashing? A little. But there is no way to verify the integrity of the entire index if you use IT data block signing like there is with event hashing (| audit
). In the end, with both of the hashing and signing methods, once an attacker gains access to your file system they can tamper with your events and technically hide their activity by just resigning/rehashing the events.
Thanks, ftk, this solves all my questions.