Reading the Splunk 6.2 release notes:
I found that:
IT data block signing Audit signing Event hashing
Has been removed. So as these features are required to comply with the PCI DSS rules, I would like to know how the removal of these features is going to affect to the Splunk for PCI Compliance App:
It says that is 6.2 compliant, but the PCI DSS requires this feature...
This new feature computes hashes at the slice level, not at the individual event level. The size of every slice is 128 KB. A slice consists of one or more events. In case of tampering, the system will identify the slice(s) that have been compromised.
These features have been deprecated since 5.0 and it is now officially removed. The main reason we have deprecated these because of challenges associated with running in a distributed environment.
We have an item in our roadmap to provide a robust, distributed env compatible data signing feature. We are actively working on this for now. The release vehicle / timeline for the new feature is TBD.
Would be good to know the current status of protecting log fidelity in Splunk:
Does Event Hashing still work in Splunk 6.2??
What about -
IT data block signing
please note that Event Hashing still works in Splunk 6.2. I've just tested it yesterday.
Please also note that removing features that give some kind of certification about data integrity is a mayor problem for many big customers and installations.
As Distributors, we already received lots of really worried emails from Partners that don't know how to manage this with their Customers.
We all do hope that Splunk will come out with some solution in a very near future: TBD is not an answer we can give to our Partners and Customers.
Yes, we have started working on the new feature and it could very well be introduced in the next version of Splunk. The reason i mentioned the timing is TBD is because we don't announce our release dates and / or the feature lists much in advance. We definitely understand the importance of data integrity features and will come out with a scalable replacement feature pretty soon.
If customers really need to use the existing feature they can do so by using pre-6.2 versions.
This is a major problem for every implementation where data integrity is Mandatory! Also a lot of Security Implementations require that the Solution must guarantee that collected data is not modified.
Is Splunk going to add new features to accomplish the same goal or is leaving the Compliance and Security field?