Patching for operating system security
This task covers the application of OS security patches to a Splunk User Behavior Analytics (UBA) cluster as per Splunk best practices. This procedure is valid as of UBA version 5.3.0.
This article is part of the Splunk User Behavior Analytics Owner's Manual, which describes the recommended ongoing maintenance tasks that the owner of a UBA implementation should should ensure are performed to keep their implementation functional. To see more maintenance tasks, click here to see the complete manual.
Why is this important?
Splunk User Behavior Analytics runs as installed software on an underlying operating system, so the system administrator must manage patching for the underlying operating system.
Due to the strict operating requirements of Splunk User Behavior Analytics, there is a specific process for applying OS security patching that necessitates it as a manual task. It is important to apply patching in this defined manner as UBA does not support any any alternative hardening procedures.
It is critical that these OS security patches are regularly applied to ensure the security of the UBA cluster and the environment as a whole.
Schedule
Every six months
Prerequisites
- This procedure requires CLI access to all nodes of the UBA cluster.
- This procedure requires local privileged account access to all nodes of the UBA cluster.
- A good knowledge of Unix shell commands and Unix administration is required to complete this procedure.
- The following procedures are taken from Install and upgrade Splunk User Behavior Analytics and are valid for version 5.3.0. If your UBA cluster is a different version to this, please consult the relevant instructions in the documentation for that specific version and cluster type.
Notes and warnings
For UBA clusters with a warm standby, repeat the patching procedure for the standby cluster after the primary cluster has been patched.
Procedure
Please select the correct patching procedure below based on your UBA cluster type and follow the steps:
Single Node AMI or OVA installation of Splunk User Behavior Analytics:
The Splunk User Behavior Analytics AMI and OVA images use Ubuntu as the operating system.
Applying the security patches can take up to one hour.
- Log in to the Splunk User Behavior Analytics server as the caspida user.
- Run the following command to stop Splunk User Behavior Analytics and all services:
/opt/caspida/bin/Caspida stop-all
- Run the following commands to install the latest unattended-upgrades package:
sudo apt update
sudo apt install unattended-upgrades
- If you see the following prompt, select keep the local version currently installed: What do you want to do about modified configuration file 50unattended-upgrades?
- Run the following command:
sudo apt autoremove
- Edit the /etc/apt/apt.conf.d/50unattended-upgrades file and un-comment the following line:
Skip this step if you have previously applied security patches to your Ubuntu environment following these instructions.
"${distro_id}:${distro_codename}-security";
Leave all other lines commented out. - Run the following command:
sudo unattended-upgrade -d
- Edit the /etc/init.d/zookeeper-server file and change
su
torunuser
in all of the following lines:Skip this step if you have previously applied security patches to your Ubuntu environment following these instructions.
Before:
su -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} start"
su -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} stop"
su -s /bin/bash zookeeper -c "zookeeper-server-initialize $*"
After:
runuser -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} start"
runuser -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} stop"
runuser -s /bin/bash zookeeper -c "zookeeper-server-initialize $*"
- Reboot the system:
sudo reboot
- Run the following command to start Splunk User Behavior Analytics and all services:
/opt/caspida/bin/Caspida start-all
Single-node RHEL installation of Splunk User Behavior Analytics:
- Log in to the Splunk User Behavior Analytics server as the caspida user.
- Run the following command to stop Splunk User Behavior Analytics and all services:
/opt/caspida/bin/Caspida stop-all
- Run the following commands to check for any available security updates:
sudo yum updateinfo list security all
sudo yum updateinfo list sec
- Run the following command to update all packages with the available security updates:
sudo yum update --security -y
sudo yum --security update-minimal
- Reboot the system:
sudo reboot
- Run the following command to start Splunk User Behavior Analytics and all services:
/opt/caspida/bin/Caspida start-all
Single-node OEL installation of Splunk User Behavior Analytics:
- Log in to the Splunk User Behavior Analytics server as the caspida user.
- Run the following command to stop Splunk User Behavior Analytics and all services:
/opt/caspida/bin/Caspida stop-all
- Run the following commands to check for any available security updates:
sudo yum updateinfo list security all
sudo yum updateinfo list sec
- Run the following command to resolve glibc package dependencies:
sudo yum update glibc-devel
- Run the following command to update all packages with the available security updates:
sudo yum update --security -y
sudo yum --security update-minimal
- Reboot the system:
sudo reboot
- Run the following command to start Splunk User Behavior Analytics and all services:
/opt/caspida/bin/Caspida start-all
Multi-node AMI or OVA installation of Splunk User Behavior Analytics:
The Splunk User Behavior Analytics AMI and OVA images use Ubuntu as the operating system.
Applying the security patches can take up to one hour.
- Log in to the Splunk User Behavior Analytics management node as the caspida user.
- On the management node, run the following command to stop Splunk User Behavior Analytics and all services:
/opt/caspida/bin/Caspida stop-all
- On each other Splunk User Behavior Analytics node, log in as the caspida user and perform the following tasks:
- Run the following commands to install the latest unattended-upgrades package:
sudo apt update
sudo apt install unattended-upgrades
- If you see the prompt "What do you want to do about modified configuration file 50unattended-upgrades?", select keep the local version currently installed.
- Run the following command:
sudo apt autoremove
- Edit the /etc/apt/apt.conf.d/50unattended-upgrades file and un-comment the following line:
Skip this step if you have previously applied security patches to your Ubuntu environment following these instructions.
"${distro_id}:${distro_codename}-security";
Leave all other lines commented out. - Run the following command:
sudo unattended-upgrade -d
- Edit the /etc/init.d/zookeeper-server file and change
su
torunuser
in all of the following lines:Skip this step if you have previously applied security patches to your Ubuntu environment following these instructions.
Before:
su -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} start"
su -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} stop"
su -s /bin/bash zookeeper -c "zookeeper-server-initialize $*"
After:
runuser -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} start"
runuser -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} stop"
runuser -s /bin/bash zookeeper -c "zookeeper-server-initialize $*"
- Reboot the system:
sudo reboot
- Run the following commands to install the latest unattended-upgrades package:
- On the management node, run the following command to start Splunk User Behavior Analytics and all services:
/opt/caspida/bin/Caspida start-all
Multi-node RHEL installation of Splunk User Behavior Analytics:
- Log in to the Splunk User Behavior Analytics management node as the caspida user.
- On the management node, run the following command to stop Splunk User Behavior Analytics and all services:
/opt/caspida/bin/Caspida stop-all
- On each other Splunk User Behavior Analytics node, log in as the caspida user and perform the following tasks:
- Run the following commands to check for any available security updates:
sudo yum updateinfo list security all
sudo yum updateinfo list sec
- Run the following command to update all packages with the available security updates:
sudo yum update --security -y
sudo yum --security update-minimal
- Reboot the system:
sudo reboot
- Run the following commands to check for any available security updates:
- On the management node, run the following command to start Splunk User Behavior Analytics and all services:
/opt/caspida/bin/Caspida start-all
Multi-node OEL installation of Splunk User Behavior Analytics:
- Log in to the Splunk User Behavior Analytics management node as the caspida user.
- On the management node, run the following command to stop Splunk User Behavior Analytics and all services:
/opt/caspida/bin/Caspida stop-all
- On each other Splunk User Behavior Analytics node, log in as the caspida user and perform the following tasks:
- Run the following commands to check for any available security updates:
sudo yum updateinfo list security all
sudo yum updateinfo list sec
- Run the following command to resolve glibc package dependencies:
sudo yum update glibc-devel
- Run the following command to update all packages with the available security updates:
sudo yum update --security -y
sudo yum --security update-minimal
- Reboot the system:
sudo reboot
- Run the following commands to check for any available security updates:
- On the management node, run the following command to start Splunk User Behavior Analytics and all services:
/opt/caspida/bin/Caspida start-all
Next steps
These resources might help you understand and implement this guidance:
- Splunk Docs: Install and upgrade Splunk User Behavior Analytics
- Product Tip: Splunk User Behavior Analytics Owner's Manual