Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Risk items identified with mongodb with kvstore

anglewwb35
Explorer
‎01-09-2025 02:26 AM

We have deployed splunk enterprise on huawei cloud. After conducting baseline checking, we have discovered several risk items targeting mongodb with the following:
Rule:Use a Secure TLS Version
Rule:Disable Listening on the Unix Socket
Rule:Set the Background Startup Mode
Rule:Disable the HTTP Status Interface
Rule:Configure bind_ip
Rule:Disable Internal Command Test
Rule:Do Not Omit Server Name Verification
Rule:Enable the Log Appending Mode
Rule:Restrict the Permission on the Home Directory of MongoDB
Rule:Restrict the Permission on the Bin Directory of MongoDB
Rule:Check the FIPS Mode Option

I have checked if there is any related documentation but I cannot find any of them. I am wondering if I should create a mongodb.conf for it. Thanksss

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎01-22-2025 10:27 PM

@anglewwb35- Just FYI, Splunk include MongoDB within its installation to run KVstore service for lookups.

Now I don't recommend to make any specific changes, except if maybe block kvstore port from outside the local machine via local firewall or cloud firewall. (be careful in blocking port when using SH Cluster.)

* Default KVstore Port - 8191

 

I hope this helps!!! Kindly upvote!!!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎01-22-2025 11:08 PM

1. As @VatsalJagani already pointed out - mongodb is an integral part of Splunk distribution and Splunk relies on it to work properly. Therefore changing its configuration is not recommended and you're very likely to cause problems if you're changing things without deep understanding of their impact for the whole environment.

2. Baseline checks, vulnerability scans and such are just tools to help you assess the state of the system, not do the job for you. They alone are not sufficient grounds for telling you what is OK and what is not. Running them blindly and following their "recommendations" without understanding the results of performed tests and their context is not a good practice.

0 Karma
Reply
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎01-22-2025 10:27 PM

@anglewwb35- Just FYI, Splunk include MongoDB within its installation to run KVstore service for lookups.

Now I don't recommend to make any specific changes, except if maybe block kvstore port from outside the local machine via local firewall or cloud firewall. (be careful in blocking port when using SH Cluster.)

* Default KVstore Port - 8191

 

I hope this helps!!! Kindly upvote!!!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...