LoFP / while all of the settings on each device returned by this search may appear to be hardened, you will still need to verify the value of pythonhttpsverify in $splunk_home/etc/splunk-launch.conf on each device in order to harden the python configuration.

Techniques

• T1001.003

Sample rules

Splunk Protocol Impersonation Weak Encryption Configuration

• source: splunk
• technicques:
  • T1001.003

Description

On June 14th, 2022, Splunk released a security advisory relating to TLS validation occuring within the httplib and urllib python libraries shipped with Splunk. In addition to upgrading to Splunk Enterprise 9.0 or later, several configuration settings need to be set. This search will check those configurations on the search head it is run from as well as its search peers. In addition to these settings, the PYTHONHTTPSVERIFY setting in $SPLUNK_HOME/etc/splunk-launch.conf needs to be enabled as well. Other components such as additional search heads or anything this rest command cannot be distributed to will need to be manually checked.

Detection logic

| rest /services/server/info 
| table splunk_server version server_roles 
| join splunk_server [
| rest /servicesNS/nobody/search/configs/conf-server/ search="PythonSslClientConfig" 
| table splunk_server sslVerifyServerCert sslVerifyServerName] 
| join splunk_server [
| rest /servicesNS/nobody/search/configs/conf-web/settings 
|  table splunk_server serverCert sslVersions] 
| rename sslVerifyServerCert as "Server.conf:PythonSSLClientConfig:sslVerifyServerCert", sslVerifyServerName as "Server.conf:PythonSSLClientConfig:sslVerifyServerName", serverCert as "Web.conf:Settings:serverCert", sslVersions as "Web.conf:Settings:sslVersions" 
| `splunk_protocol_impersonation_weak_encryption_configuration_filter`