Re: What is the distributed_leases stanza for?

jmcnutt · ‎07-26-2023

I am working on securing all of the communications to my Splunk Enterprise servers.

Looking at the output of "splunk btool server list" there is a section named "distributed_leases" that has "sslVerifyServerCert=false" set (as given in etc/system/default/server.conf).

On the one hand, it also has "disabled=true" so I should be able to set it however I want and see no effects.

On the other hand, I don't prefer to tweak settings without knowing what they belong to.

Looking at the spec file revealed no more than a trivial answer about securing the connection. Searching on docs.splunk.com turned up nothing except for the server.conf.spec file that I already had.

Does anyone know what "distributed_leases" is used for?

cklunck · ‎07-27-2023

That stanza was added in v8.2.0, which was about the time federated search was rolled out.

If I had to guess, that stanza could lay the foundation for leasing authentication tokens from a vault (like HashiCorp Vault or Amazon STS), so those leased credentials can be used with distributed/federated search.

Admittedly, this is nothing more than wild speculation on my part. But given that it's not yet documented, it's probably not in use anywhere. And since it's disabled by default, you're probably safe changing the verify clause to true without it impacting anything. However, if it does break something, you didn't hear that from me

Source: completely baseless speculation

jmcnutt · ‎07-31-2023

Well, I'll be trying it shortly. Fortunately, I have a host that doesn't matter TOO much if I break it.

What is the distributed_leases stanza for?

configuration

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?