Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Where are the limitations of IT block data signing?

Simon
Contributor
‎08-17-2010 09:40 AM

Hi all,

I'm currently evaluating the IT block data signing feature of splunk and have some questions about it:

  • How compares splunk the indexed data with the data on my source? Is there a back communication to my forwarder?
  • How can I test this features? I made a test by just changing some lines in the logfile, but splunk still tells me that there aren't any gaps.
  • What does splunk when my source log is already gone, maybe rolled by log4j?
  • Does IT data block signing also work with Windows Event Logs?

Hope anyone has some answers 😉

Thanks, Simon

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

ftk
Motivator
‎08-17-2010 12:33 PM
  • Splunk does not compare the indexed data with your source with data block signing, there is no communication to the forwarder.
  • You can test this feature by 1) turning on data block signing 2) modifying the splunk database at the filesystem level 3) doing an integrity check -- the checksum should now be off.
  • Splunk will index your data as usual.
  • Yes -- it works with any data splunk can index.

IT data block signing basically takes a configured number of events (100 by default I believe, but 300-1000 might be better numbers to use depending on your volume) and then cryptographically signs the entire block of events. This signature is stored in a different index within splunk. Once you do a Show Source, splunk computes the hashes for the displayed data blocks and compares them to the stored values.

Is it technically a bit more secure than event hashing? Perhaps. Is it a bit more efficient than event hashing? A little. But there is no way to verify the integrity of the entire index if you use IT data block signing like there is with event hashing (| audit). In the end, with both of the hashing and signing methods, once an attacker gains access to your file system they can tamper with your events and technically hide their activity by just resigning/rehashing the events.

View solution in original post

Reply
Solved! Jump to solution
Solution

ftk
Motivator
‎08-17-2010 12:33 PM
  • Splunk does not compare the indexed data with your source with data block signing, there is no communication to the forwarder.
  • You can test this feature by 1) turning on data block signing 2) modifying the splunk database at the filesystem level 3) doing an integrity check -- the checksum should now be off.
  • Splunk will index your data as usual.
  • Yes -- it works with any data splunk can index.

IT data block signing basically takes a configured number of events (100 by default I believe, but 300-1000 might be better numbers to use depending on your volume) and then cryptographically signs the entire block of events. This signature is stored in a different index within splunk. Once you do a Show Source, splunk computes the hashes for the displayed data blocks and compares them to the stored values.

Is it technically a bit more secure than event hashing? Perhaps. Is it a bit more efficient than event hashing? A little. But there is no way to verify the integrity of the entire index if you use IT data block signing like there is with event hashing (| audit). In the end, with both of the hashing and signing methods, once an attacker gains access to your file system they can tamper with your events and technically hide their activity by just resigning/rehashing the events.

Reply
Solved! Jump to solution

Simon
Contributor
‎08-19-2010 11:17 AM

Thanks, ftk, this solves all my questions.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...