Solved: Running a vulnerability scan on my CentOS 6 Splunk...

terryjohn · ‎09-10-2015

I am running a Centos 6 machine with splunkforwarder-6.2.5 installed. When running a vulnerability scan using OpenVAS, it tells me that usage of SSLv2 and SSLv3 can be detected. The messages are

Deprecated SSLv2 and SSLv3 Protocol Detection: port 8089
  It was possible to detect the usage of the deprecated SSLv2 and/or SSLv3 protocol on this system.

I have edited $SPLUNK_HOME/etc/system/local/inputs.conf

[SSL]
sslVersions = tls

I have also edited $SPLUNK_HOME/etc/system/local/web.conf

[settings]
enableSplunkWebSSL = 1
sslVersions = tls

After restarting the forwarder, another scan showed the same vulnerabilities.

I need to know if these are the right files to change to prevent the splunk forwarder from using any protocol less than TLSv1.0

alacercogitatus · ‎09-10-2015

The settings you have chosen are for Splunk Web, not the management port (8089). You need to edit the server.conf.

server.conf

 [sslConfig]
 sslVersions = tls

The documentation is at http://docs.splunk.com/Documentation/Splunk/6.2.5/admin/Serverconf . The relevant portion is below.

[sslConfig]
* Set SSL for communications on Splunk back-end under this stanza name.
    * NOTE: To set SSL (eg HTTPS) for Splunk Web and the browser, use web.conf.
* Follow this stanza name with any number of the following attribute/value pairs.  
* If you do not specify an entry for each attribute, Splunk will use the default value.

sslVersions = <versions_list>
* Comma-separated list of SSL versions to support
* The versions available are "ssl2", "ssl3", "tls1.0", "tls1.1", and "tls1.2"
* The special version "*" selects all supported versions.  The version "tls"
  selects all versions tls1.0 or newer
* If a version is prefixed with "-" it is removed from the list
* When configured in FIPS mode ssl2 and ssl3 are always disabled regardless of this configuration
* Defaults to "*,-ssl2".  (anything newer than SSLv2)

View solution in original post

alacercogitatus · ‎09-10-2015

The settings you have chosen are for Splunk Web, not the management port (8089). You need to edit the server.conf.

server.conf

 [sslConfig]
 sslVersions = tls

The documentation is at http://docs.splunk.com/Documentation/Splunk/6.2.5/admin/Serverconf . The relevant portion is below.

[sslConfig]
* Set SSL for communications on Splunk back-end under this stanza name.
    * NOTE: To set SSL (eg HTTPS) for Splunk Web and the browser, use web.conf.
* Follow this stanza name with any number of the following attribute/value pairs.  
* If you do not specify an entry for each attribute, Splunk will use the default value.

sslVersions = <versions_list>
* Comma-separated list of SSL versions to support
* The versions available are "ssl2", "ssl3", "tls1.0", "tls1.1", and "tls1.2"
* The special version "*" selects all supported versions.  The version "tls"
  selects all versions tls1.0 or newer
* If a version is prefixed with "-" it is removed from the list
* When configured in FIPS mode ssl2 and ssl3 are always disabled regardless of this configuration
* Defaults to "*,-ssl2".  (anything newer than SSLv2)

terryjohn · ‎09-10-2015

This fixed it, thanks.

As an aside I realised a quicker way of testing it is to use the openssl connect

 openssl s_client -connect localhost:8089 -ssl2

Running a vulnerability scan on my CentOS 6 Splunk forwarder, why am I getting "Deprecated SSLv2 and SSLv3 Protocol Detection: port 8089"?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?