Splunk Enterprise Security

Is there an optimal version of RHEL 7.7 for installing Splunk?

danny12345
Explorer

We are setting up Splunk in a secure environment, and we were wondering if anyone has come across an "optimal" or baseline version of RHEL 7.7 for installing Splunk 8.0 or 7.3? We were wondering if anyone was willing to share their best practices in terms of the OS install for Splunk, and specifically RHEL 7.7?

Thank you in advance!

0 Karma
1 Solution

BainM
Communicator

Hi Danny-
Most companies are going to be very tight-lipped about what OS details they are using. Let's just say that I am replying to this because we are in the same "ballpark". 🙂
7.7 is using the same kernel version (3.10) with the only difference from any other version of 7 being the build number. Since kernel.org is at the latest 5.x, RHEL and CentOS go for stability. However, CentOS8 makes a big jump to 4.18.0-80 from the 3.10 build, so there's something there that should be evaluated. It seems, however, that 3.10 is still the most stable and secure, at least for the 7.x setups.

SELinux is highly recommended, with the ability to have customized app access and better ACL control. The firewallD app is great as well.

Tanium is a good security app to keep an eye on things in addition to others I cannot mention.
Sometimes the best defense is staying on top of security patches, daily scanning, and patch evaluation is also critical. Don't scan the index filesystem for your indexers though! 🙂
I also highly recommend using Workload Management which gives you Control Groups (built into RHEL and CENTOS) which allows much more power over the Splunk processes (even allowing to allocate resources to searches or indexing, or both in varying degrees). This could be helpful in security evaluation situations (I allocate x% to splunkd and nothing else can take that).

Hope this helps,
Mike

View solution in original post

0 Karma

BainM
Communicator

Hi Danny-
Most companies are going to be very tight-lipped about what OS details they are using. Let's just say that I am replying to this because we are in the same "ballpark". 🙂
7.7 is using the same kernel version (3.10) with the only difference from any other version of 7 being the build number. Since kernel.org is at the latest 5.x, RHEL and CentOS go for stability. However, CentOS8 makes a big jump to 4.18.0-80 from the 3.10 build, so there's something there that should be evaluated. It seems, however, that 3.10 is still the most stable and secure, at least for the 7.x setups.

SELinux is highly recommended, with the ability to have customized app access and better ACL control. The firewallD app is great as well.

Tanium is a good security app to keep an eye on things in addition to others I cannot mention.
Sometimes the best defense is staying on top of security patches, daily scanning, and patch evaluation is also critical. Don't scan the index filesystem for your indexers though! 🙂
I also highly recommend using Workload Management which gives you Control Groups (built into RHEL and CENTOS) which allows much more power over the Splunk processes (even allowing to allocate resources to searches or indexing, or both in varying degrees). This could be helpful in security evaluation situations (I allocate x% to splunkd and nothing else can take that).

Hope this helps,
Mike

0 Karma

danny12345
Explorer

Thank you Mike, for your response, but we already know that RHEL 7.7 is fully compatible and supported by Splunk. However, do you know if there is an optimal installation type for RHEL? The possible choices are minimal install, infrastructure install, file and print server, basic web server, virtualization host, server with GUI. There are also RHEL add-ons available but I'm not sure if anyone uses these for Splunk, such as debugging tools, compatibility libraries, development tools, security tools, and smart card support. We just want to follow what the best practice is, if there is one. Thank you again!

0 Karma

BainM
Communicator

HI Danny-
I would definitely go with Minimal install to keep a "tight ship" and then make sure secure Repos are enabled so you can add anything in as needed (which I seriously doubt you will need).
Here's an actual package list comparison with Infra. in bold.

danny12345
Explorer

Thank you Mike! That's very helpful!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...