Security

Splunk CAC login / SSO cookie length

neutronscott
New Member

I'm playing with Splunk 6.6.0 and DOD CAC login (X509 client certificates on a smartcard). The documentation says the REMOTE_USER must be in every request, but testing shows this isn't necessarily true, I think. Once the user received a session cookie, I was able to remove the header and stay signed in. In fact, I could close the browser and re-open it and the session was still alive. The cookie was set to expire in 10 years I believe, but I'm sure after 1hr of inactivity the server-side expires it.

Since client SSL auth and cert extraction is said to be an expensive operation, I thought I'd only request it once. This is what our web mail does. But I have also read that a per-location ssl verify requires a secure renegotiation and is better done with a separate domain or port. Our web mail uses a different port. So I was thinking of doing a redirect from when Splunk sends the user to /en-US/account/login to go to a separate VirtualHost that has "SSLVerifyClient required" and passes REMOTE_USER from %{SSL_CLIENT_SAN_OTHER_msUPN_0}e which maps to userPrincipleName in LDAP to Active Directory...

I believe this is a much better way than the previous solutions on here, but:

  1. Can I rely on passing the REMOTE_USER just once? (perhaps I misunderstood documentation)
  2. Can I get the browser cookie set by Splunk to expire on close? Without editing headers in Apache?
  3. If #1 is false, perhaps I can use my own mod_session setup, and welcome ideas, as I've little experience in cookie security and cross-site attacks.
0 Karma

neutronscott
New Member

I think the answers are:

  1. yes
  2. tools.sessions.restart_persist = false

This should greatly improve performance as the client certificates aren't verified with each connection.

0 Karma

jkat54
SplunkTrust
SplunkTrust

"In fact, I could close the browser and re-open it and the session was still alive"

I find this hard to believe unless you had otnher browser windows open or have a network device that is caching cookies.

0 Karma

neutronscott
New Member

"or have a network device that is caching cookies."

I find this hard to believe.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Which part, that you might have such a device or that one might exist?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...