Security

Does Splunk Support ShA-256 or SHA -1?

allamiro
Path Finder

Does Splunk Support ShA-256 or is it backwards compatible with SHA -1?

Tags (3)
0 Karma

jasonchangbompa
Explorer

Basically. Splunk index data is encrypted as SHA-256

audit.conf

EVENT HASHING: turn on SHA256 event hashing.

[eventHashing]
* This stanza turns on event hashing -- every event is SHA256 hashed.
* The indexer will encrypt all the signatures in a block.
* Follow this stanza name with any number of the following attribute/value pairs.
filters=mywhitelist,myblacklist...
* (Optional) Filter which events are hashed.
* Specify filtername values to apply to events.
* NOTE: The order of precedence is left to right. Two special filters are provided
by default:
blacklist_all and whitelist_all, use them to terminate the list of your filters. For example
if your list contains only whitelists, then terminating it with blacklist_all will result in
signing of only events that match any of the whitelists. The default implicit filter list
terminator is whitelist_all.

====================================================================
In Version 6.0.2, you can set SHA-256 in authentication.conf for user password.

[authentication]
* Follow this stanza name with any number of the following attribute/value pairs.

authType = [Splunk|LDAP|Scripted]
* Specify which authentication system to use.
* Supported values: Splunk, LDAP, Scripted.
* Defaults to Splunk.

authSettings = ,,...
* Key to look up the specific configurations of chosen authentication system.
* is the name of a stanza header that specifies attributes for an LDAP strategy
or for scripted authentication. Those stanzas are defined below.
* For LDAP, specify the LDAP strategy name(s) here. If you want Splunk to query multiple LDAP servers,
enter a comma-separated list of all strategies. Each strategy must be defined in its own stanza. The order in
which you specify the strategy names will be the order Splunk uses to query their servers when looking for a user.
* For scripted authentication, should be a single stanza name.

passwordHashAlgorithm = [SHA512-crypt|SHA256-crypt|SHA512-crypt-|SHA256-crypt-|MD5-crypt]
* For the default "Splunk" authType, this controls how hashed passwords are stored in the $SPLUNK_HOME/etc/passwd file.
* "MD5-crypt" is an algorithm originally developed for FreeBSD in the early 1990's which became a widely used
standard among UNIX machines. It was also used by Splunk up through the 5.0.x releases. MD5-crypt runs the
salted password through a sequence of 1000 MD5 operations.
* "SHA256-crypt" and "SHA512-crypt" are newer versions that use 5000 rounds of the SHA256 or SHA512 hash
functions. This is slower than MD5-crypt and therefore more resistant to dictionary attacks. SHA512-crypt
is used for system passwords on many versions of Linux.
* These SHA-based algorithm can optionally be followed by a number of rounds to use. For example,
"SHA512-crypt-10000" will use twice as many rounds of hashing as the default implementation. The
number of rounds must be at least 1000.
* This setting only affects new password settings (either when a user is added or a user's password
is changed) Existing passwords will continue to work but retain their previous hashing algorithm.
* The default is "SHA512-crypt".

Ayn
Legend

Support SHA-256/SHA-1 for what?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...