Splunk Enterprise Security

Is there an optimal version of RHEL 7.7 for installing Splunk?

danny12345
Explorer

We are setting up Splunk in a secure environment, and we were wondering if anyone has come across an "optimal" or baseline version of RHEL 7.7 for installing Splunk 8.0 or 7.3? We were wondering if anyone was willing to share their best practices in terms of the OS install for Splunk, and specifically RHEL 7.7?

Thank you in advance!

0 Karma
1 Solution

BainM
Communicator

Hi Danny-
Most companies are going to be very tight-lipped about what OS details they are using. Let's just say that I am replying to this because we are in the same "ballpark". 🙂
7.7 is using the same kernel version (3.10) with the only difference from any other version of 7 being the build number. Since kernel.org is at the latest 5.x, RHEL and CentOS go for stability. However, CentOS8 makes a big jump to 4.18.0-80 from the 3.10 build, so there's something there that should be evaluated. It seems, however, that 3.10 is still the most stable and secure, at least for the 7.x setups.

SELinux is highly recommended, with the ability to have customized app access and better ACL control. The firewallD app is great as well.

Tanium is a good security app to keep an eye on things in addition to others I cannot mention.
Sometimes the best defense is staying on top of security patches, daily scanning, and patch evaluation is also critical. Don't scan the index filesystem for your indexers though! 🙂
I also highly recommend using Workload Management which gives you Control Groups (built into RHEL and CENTOS) which allows much more power over the Splunk processes (even allowing to allocate resources to searches or indexing, or both in varying degrees). This could be helpful in security evaluation situations (I allocate x% to splunkd and nothing else can take that).

Hope this helps,
Mike

View solution in original post

0 Karma

BainM
Communicator

Hi Danny-
Most companies are going to be very tight-lipped about what OS details they are using. Let's just say that I am replying to this because we are in the same "ballpark". 🙂
7.7 is using the same kernel version (3.10) with the only difference from any other version of 7 being the build number. Since kernel.org is at the latest 5.x, RHEL and CentOS go for stability. However, CentOS8 makes a big jump to 4.18.0-80 from the 3.10 build, so there's something there that should be evaluated. It seems, however, that 3.10 is still the most stable and secure, at least for the 7.x setups.

SELinux is highly recommended, with the ability to have customized app access and better ACL control. The firewallD app is great as well.

Tanium is a good security app to keep an eye on things in addition to others I cannot mention.
Sometimes the best defense is staying on top of security patches, daily scanning, and patch evaluation is also critical. Don't scan the index filesystem for your indexers though! 🙂
I also highly recommend using Workload Management which gives you Control Groups (built into RHEL and CENTOS) which allows much more power over the Splunk processes (even allowing to allocate resources to searches or indexing, or both in varying degrees). This could be helpful in security evaluation situations (I allocate x% to splunkd and nothing else can take that).

Hope this helps,
Mike

0 Karma

danny12345
Explorer

Thank you Mike, for your response, but we already know that RHEL 7.7 is fully compatible and supported by Splunk. However, do you know if there is an optimal installation type for RHEL? The possible choices are minimal install, infrastructure install, file and print server, basic web server, virtualization host, server with GUI. There are also RHEL add-ons available but I'm not sure if anyone uses these for Splunk, such as debugging tools, compatibility libraries, development tools, security tools, and smart card support. We just want to follow what the best practice is, if there is one. Thank you again!

0 Karma

BainM
Communicator

HI Danny-
I would definitely go with Minimal install to keep a "tight ship" and then make sure secure Repos are enabled so you can add anything in as needed (which I seriously doubt you will need).
Here's an actual package list comparison with Infra. in bold.

danny12345
Explorer

Thank you Mike! That's very helpful!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...