Does Splunk Support ShA-256 or SHA -1?

Path Finder

Does Splunk Support ShA-256 or is it backwards compatible with SHA -1?

Tags (3)
0 Karma


Basically. Splunk index data is encrypted as SHA-256


EVENT HASHING: turn on SHA256 event hashing.

* This stanza turns on event hashing -- every event is SHA256 hashed.
* The indexer will encrypt all the signatures in a block.
* Follow this stanza name with any number of the following attribute/value pairs.
* (Optional) Filter which events are hashed.
* Specify filtername values to apply to events.
* NOTE: The order of precedence is left to right. Two special filters are provided
by default:
blacklist_all and whitelist_all, use them to terminate the list of your filters. For example
if your list contains only whitelists, then terminating it with blacklist_all will result in
signing of only events that match any of the whitelists. The default implicit filter list
terminator is whitelist_all.

In Version 6.0.2, you can set SHA-256 in authentication.conf for user password.

* Follow this stanza name with any number of the following attribute/value pairs.

authType = [Splunk|LDAP|Scripted]
* Specify which authentication system to use.
* Supported values: Splunk, LDAP, Scripted.
* Defaults to Splunk.

authSettings = ,,...
* Key to look up the specific configurations of chosen authentication system.
* is the name of a stanza header that specifies attributes for an LDAP strategy
or for scripted authentication. Those stanzas are defined below.
* For LDAP, specify the LDAP strategy name(s) here. If you want Splunk to query multiple LDAP servers,
enter a comma-separated list of all strategies. Each strategy must be defined in its own stanza. The order in
which you specify the strategy names will be the order Splunk uses to query their servers when looking for a user.
* For scripted authentication, should be a single stanza name.

passwordHashAlgorithm = [SHA512-crypt|SHA256-crypt|SHA512-crypt-|SHA256-crypt-|MD5-crypt]
* For the default "Splunk" authType, this controls how hashed passwords are stored in the $SPLUNK_HOME/etc/passwd file.
* "MD5-crypt" is an algorithm originally developed for FreeBSD in the early 1990's which became a widely used
standard among UNIX machines. It was also used by Splunk up through the 5.0.x releases. MD5-crypt runs the
salted password through a sequence of 1000 MD5 operations.
* "SHA256-crypt" and "SHA512-crypt" are newer versions that use 5000 rounds of the SHA256 or SHA512 hash
functions. This is slower than MD5-crypt and therefore more resistant to dictionary attacks. SHA512-crypt
is used for system passwords on many versions of Linux.
* These SHA-based algorithm can optionally be followed by a number of rounds to use. For example,
"SHA512-crypt-10000" will use twice as many rounds of hashing as the default implementation. The
number of rounds must be at least 1000.
* This setting only affects new password settings (either when a user is added or a user's password
is changed) Existing passwords will continue to work but retain their previous hashing algorithm.
* The default is "SHA512-crypt".


Support SHA-256/SHA-1 for what?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...