11/28/2023 0 Comments Splunk soar community editionMalicious apps can also introduce hostile HTML into the web user interface in two places: If apps, or assets have configured credentials, obtaining those credentials is possible from an app or playbook's code. Anything that the Python language with common libraries can do can be done from an app's or playbook's code. Python code runs without restrictions other than that it is running as a user account without any special privileges. It is critical that any untrusted code you obtain from other sources be examined thoroughly. When running, the python code from Apps and Playbooks are running as either the linux user account phantom, or the specified account that runs. You can get apps or playbooks from third parties, such as other users. You can develop apps and playbooks yourself.Splunk provides several apps and playbooks from Splunkbase, the Phantom Portal, and a GitHub repository.Playbooks are specially-crafted Python code that utilize Python libraries run actions, use apps, or run custom code.Īpps and playbooks are available from several sources:.Apps provide Actions to, to make controlling your security infrastructure easy. Apps are collections of Python code and JSON configuration files that allow to connect to, use, and control other products or services.Uses user-supplied Python code in several ways. If you need to connect to a git repo that uses an unrecognized CA, you have to disable git certificate checking system-wide. Git repositories can be configured to use an HTTPS URI if that repository uses a signed certificate from a commercial certificate authority. The git client uses the OpenSSL certificate store, which includes most commercial CAs. Note that the requirement for the Common Name to match still applies, so if the certificate is for, then the asset must also be configured to connect to it as, and not a different form of the name such as "server", or an IP address. This includes any necessary intermediate certificates. If an asset uses TLS and has a self-signed certificate, or if you have an in-house certificate authority, then those certificates must be imported into the store for verification to work. In almost all cases, can use its certificate store to validate any certificate issued by a commercial certificate authority (CA). The certificates in the store are trusted certificate authority (CA) certificates from. Has a certificate store used to validate certificates when opening connections to other servers. Users that require the most advanced account security features are encouraged to use an external identity provider.ĭoes use a certificate store for authenticating the LDAPS authentication server.įor more on information configuring users, two-factor authentication, and passwords, see the section Manage your users and accounts in Administer. Supports password complexity for its local accounts. Supports using Duo for two-factor authentication. See the Wikipedia article for more information. The local user database uses the default Django PBKDF2 hash. There are several options for web UI authentication. Uses its own authentication database, independent of the linux operating system. Is always deployed as an unprivileged installation. In cloud and unprivileged deployments, because does not have root level access to configure systemd items, the user account that runs has its crontab modified to run /bin/start_phantom.sh at system boot time.When phantom_watchdogd starts up, it brings up all the other processes. In privileged deployments, the daemon phantom_watchdogd is configured as a systemd service via systemctl to start when the system boots.This section provides a brief overview of what happens when starts. All other daemons run as the phantom user.In an unprivileged deployment the watchdogd daemon runs as the phantom user and some of its abilities that require root permissions are removed.In a privileged deployment the watchdogd daemon runs as root and is responsible for starting or stopping other processes, collecting system and process information, and installing RPMs.The web-based user interface runs in the http process as the nginx user.Users do not have access to the operating system of their deployment.ĭoes not monitor or control the operating system on which it is deployed.īasic OS privilege separation is utilized, partitions are mounted with limited capabilities, and for privileged deployments SELinux is on. This topic explains the fundamentals of the system design and base security measures, as well as the parameters and limitations for that design.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |