Access and roles

Question 1

What authentication methods does Splunk support?

Answer 1

• Built-in
• LDAP
• Multifactor authentication
• SSO
• Scripted authentication

Question 2

What is the most common authentication method?

Answer 2

LDAP with Active Directory

Question 3

In case there are two LDAPs configured, which one gets priority?

Answer 3

The first one in the list

Question 4

List SSO options

Answer 4

SSO can be implemented with:

• reverse proxy
• proxy
• SAML

Question 5

List 4 SAML options

Answer 5

CA Siteminder, Okta, Ping Identity, Azure AD

Question 6

Give two examples for a scripted authentication?

Answer 6

RADIUS or PAM

Question 7

Where is Splunk internals authentication placed?

Answer 7

/etc/passwd

Question 8

What is the difference between authentication and authorization, give examples.

Answer 8

authentication. conf describes the way the user gets authenticated (who are you and are you allowed to come in). Eg LDAP with AD configuration.
authorization. conf describes what the granted user can do, eg which indexes can be accessed.

Question 9

A customer wants to implement LDAP with AD, does he need to work on authentication.conf or authorization.conf?

Answer 9

authentication.conf

Question 10

What Authentication method always takes precedence when multiple methods are configured?

Answer 10

Built-in

Question 11

In LDAP, what is a OU?

Answer 11

Organizational Unit

ex. ou=people, dc=splunk, dc=com

Question 12

What can you ask for from a system administrator to help with configuring Splunk with LDAP?

Answer 12

LDAP Data Interchange Format(LDIF)

This will allow you to review all of the attribute/value pairs associated with each and more identify things such as the “Base DN for users” and the “Base DN for groups”

Question 13

How does authorization work in Splunk?

Answer 13

• In order for a user to login they must have a User Account and A ROLE assigned.
• Cannot assign Access/Capabilities to a user. They must be assigned to Roles.
• Roles can only Assign Capabilites, Not Remove them.
• Rest API Data Access Query
  https: //host:port/services/authorization/roles/admin
• To faithfully restrict access to data it must be in its own index, and restricted from there. Search time obfuscation can be subverted
• Create separate indexes for data with diffferent classifications, and User access levels
• Default User Role has access to all Non-Internal indexes

Question 14

If there are SSO or SAML problems and the login is not possible, what is your option?

Answer 14

Add to the login URI:

?login_type=splunk

Question 15

What is Role?

Answer 15

A collection of permissions and capabilities

A role is a handle for linking together access rights and capabilities

Cannot assign access/capabiltiies to a user. These must be assigned to roles. If a particular individual needs a specific capability or access, then a role must be created for that user, making it a role of one.

Question 16

What are some LDAP tools to help you?

Answer 16

GUI Apps:

• Apache Directory Studio
• Softerra LDAP Vrowser
• ASDI Edit

Linux CLI:
-ldapsearch

Question 17

Can you disable capabilities inherited from parent roles?

Answer 17

No

Question 18

If SSO is configured, which does Splunk handle, Authentication or Authorization?

Answer 18

Authorization

Question 19

How do users inherit capabilities?

Answer 19

The user is given the highest level of abilities granted to any role to which they are assigned.

Question 20

What is the srchIndexesAllowed setting?

Answer 20

A list of indexes a role is allowed to search.

Question 21

What is role inheritance?

Answer 21

As a rule, members of multiple roles inherit properties from the role with the broadest permissions.

Question 22

What is the srchIndexesDefault setting?

Answer 22

A list of indexes to search when no index is specified.

Question 23

In LDAP, what is a CN?

Answer 23

Common Name

ex.cn: Peter Gibbons

Question 24

Which authentication method is natively not supported in Splunk? (needs to be scripted)

Answer 24

RADIUS