This is kind of open ended, but essentially I'm looking for things that you view as bad config, or at least configuration settings that should be flagged for review.
Some ideas I've had so far:
- Indexes with a very short retention period (100 seconds or the like)
- Searches with `index=*` in them
- A deployment server targeturi that doesn't match the name of your actual DS
What other sorts of config would you flag as concerning? Do you have any automated checks for anything like this in house?
Hi
some other issues which I always try to avoid/fix
Definitely there are a lot more items, here was what comes my mind without thinking.
r. Ismo
TLS certs issued to IP addresses
"Sharing" certs among multiple clients (multiple servers too but I can find legitimate use cases for it).
All scheduled searches with the same schedule.
No sound method of source health monitoring (that's more of an organizational/policy issue than config but some internal splunk-based automation would surely be helpful here).
Searches with tons of rex commands (create the extractions already!).
Abuse of append in searches (usualy by users "extending" old searches in dashboards without really understanding SPL).
Searches with eval _time=something. Often that's a badly onboarded source (but can be legit use case so it's up for review, not necessarily automatic red flag).
Using obsolete tls version and/or weak cipher suites.
Using default certs when tls is enabled.
Hi
some other issues which I always try to avoid/fix
Definitely there are a lot more items, here was what comes my mind without thinking.
r. Ismo
Something that always catches my attention, and requires review:
[default]
the default stanza
ah yeah. Seems like it might be appropriate in some settings. Are there config files where it's particularly egregious?