Skip to main content
 
 
Splunk Lantern

Patching for operating system security

 

This task covers the application of OS security patches to a Splunk User Behavior Analytics (UBA) cluster as per Splunk best practices. This procedure is valid as of UBA version 5.3.0.

This article is part of the Splunk User Behavior Analytics Owner's Manual, which describes the recommended ongoing maintenance tasks that the owner of a UBA implementation should should ensure are performed to keep their implementation functional. To see more maintenance tasks, click here to see the complete manual.

Why is this important?

Splunk User Behavior Analytics runs as installed software on an underlying operating system, so the system administrator must manage patching for the underlying operating system.

Due to the strict operating requirements of Splunk User Behavior Analytics, there is a specific process for applying OS security patching that necessitates it as a manual task. It is important to apply patching in this defined manner as UBA does not support any any alternative hardening procedures.

It is critical that these OS security patches are regularly applied to ensure the security of the UBA cluster and the environment as a whole.

Schedule

Every six months

Prerequisites

  • This procedure requires CLI access to all nodes of the UBA cluster.
  • This procedure requires local privileged account access to all nodes of the UBA cluster.
  • A good knowledge of Unix shell commands and Unix administration is required to complete this procedure.
  • The following procedures are taken from Install and upgrade Splunk User Behavior Analytics and are valid for version 5.3.0. If your UBA cluster is a different version to this, please consult the relevant instructions in the documentation for that specific version and cluster type.

Notes and warnings

For UBA clusters with a warm standby, repeat the patching procedure for the standby cluster after the primary cluster has been patched.

Procedure

Please select the correct patching procedure below based on your UBA cluster type and follow the steps:

Single Node AMI or OVA installation of Splunk User Behavior Analytics:

The Splunk User Behavior Analytics AMI and OVA images use Ubuntu as the operating system. 

Applying the security patches can take up to one hour.

  1. Log in to the Splunk User Behavior Analytics server as the caspida user.
  2. Run the following command to stop Splunk User Behavior Analytics and all services:
    /opt/caspida/bin/Caspida stop-all
  3. Run the following commands to install the latest unattended-upgrades package:
    sudo apt update
    sudo apt install unattended-upgrades
  4. If you see the following prompt, select keep the local version currently installed: What do you want to do about modified configuration file 50unattended-upgrades?
  5. Run the following command:
    sudo apt autoremove
  6. Edit the /etc/apt/apt.conf.d/50unattended-upgrades file and un-comment the following line:
    Skip this step if you have previously applied security patches to your Ubuntu environment following these instructions.

    "${distro_id}:${distro_codename}-security";
    Leave all other lines commented out.
  7. Run the following command:
    sudo unattended-upgrade -d
  8. Edit the /etc/init.d/zookeeper-server file and change su to runuser in all of the following lines:
    Skip this step if you have previously applied security patches to your Ubuntu environment following these instructions.

    Before:
    su -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} start"
    su -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} stop"
    su -s /bin/bash zookeeper -c "zookeeper-server-initialize $*"
    After:
    runuser -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} start"
    runuser -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} stop"
    runuser -s /bin/bash zookeeper -c "zookeeper-server-initialize $*"
  9. Reboot the system:
    sudo reboot
  10. Run the following command to start Splunk User Behavior Analytics and all services:
    /opt/caspida/bin/Caspida start-all

Single-node RHEL installation of Splunk User Behavior Analytics:

  1. Log in to the Splunk User Behavior Analytics server as the caspida user.
  2. Run the following command to stop Splunk User Behavior Analytics and all services:
    /opt/caspida/bin/Caspida stop-all
  3. Run the following commands to check for any available security updates:
    sudo yum updateinfo list security all
    sudo yum updateinfo list sec
  4. Run the following command to update all packages with the available security updates:
    sudo yum update --security -y
    sudo yum --security update-minimal
  5. Reboot the system:
    sudo reboot
  6. Run the following command to start Splunk User Behavior Analytics and all services:
    /opt/caspida/bin/Caspida start-all

Single-node OEL installation of Splunk User Behavior Analytics:

  1. Log in to the Splunk User Behavior Analytics server as the caspida user.
  2. Run the following command to stop Splunk User Behavior Analytics and all services:
    /opt/caspida/bin/Caspida stop-all
  3. Run the following commands to check for any available security updates:
    sudo yum updateinfo list security all
    sudo yum updateinfo list sec
  4. Run the following command to resolve glibc package dependencies:
    sudo yum update glibc-devel
  5. Run the following command to update all packages with the available security updates:
    sudo yum update --security -y
    sudo yum --security update-minimal
  6. Reboot the system:
    sudo reboot
  7. Run the following command to start Splunk User Behavior Analytics and all services:
    /opt/caspida/bin/Caspida start-all

Multi-node AMI or OVA installation of Splunk User Behavior Analytics:

The Splunk User Behavior Analytics AMI and OVA images use Ubuntu as the operating system. 

Applying the security patches can take up to one hour.

  1. Log in to the Splunk User Behavior Analytics management node as the caspida user.
  2. On the management node, run the following command to stop Splunk User Behavior Analytics and all services:
    /opt/caspida/bin/Caspida stop-all
  3. On each other Splunk User Behavior Analytics node, log in as the caspida user and perform the following tasks:
    1. Run the following commands to install the latest unattended-upgrades package:
      sudo apt update
      sudo apt install unattended-upgrades
    2. If you see the prompt "What do you want to do about modified configuration file 50unattended-upgrades?", select keep the local version currently installed.
    3. Run the following command:
      sudo apt autoremove
    4. Edit the /etc/apt/apt.conf.d/50unattended-upgrades file and un-comment the following line:
      Skip this step if you have previously applied security patches to your Ubuntu environment following these instructions.

      "${distro_id}:${distro_codename}-security";
      Leave all other lines commented out.
    5. Run the following command:
      sudo unattended-upgrade -d
    6. Edit the /etc/init.d/zookeeper-server file and change su to runuser in all of the following lines:
      Skip this step if you have previously applied security patches to your Ubuntu environment following these instructions.

      Before:
      su -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} start"
      su -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} stop"
      su -s /bin/bash zookeeper -c "zookeeper-server-initialize $*"
      After:
      runuser -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} start"
      runuser -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} stop"
      runuser -s /bin/bash zookeeper -c "zookeeper-server-initialize $*"
    7. Reboot the system:
      sudo reboot
  4. On the management node, run the following command to start Splunk User Behavior Analytics and all services:
    /opt/caspida/bin/Caspida start-all

Multi-node RHEL installation of Splunk User Behavior Analytics:

  1. Log in to the Splunk User Behavior Analytics management node as the caspida user.
  2. On the management node, run the following command to stop Splunk User Behavior Analytics and all services:
    /opt/caspida/bin/Caspida stop-all
  3. On each other Splunk User Behavior Analytics node, log in as the caspida user and perform the following tasks:
    1. Run the following commands to check for any available security updates:
      sudo yum updateinfo list security all
      sudo yum updateinfo list sec
    2. Run the following command to update all packages with the available security updates:
      sudo yum update --security -y
      sudo yum --security update-minimal
    3. Reboot the system:
      sudo reboot
  4. On the management node, run the following command to start Splunk User Behavior Analytics and all services:
    /opt/caspida/bin/Caspida start-all

Multi-node OEL installation of Splunk User Behavior Analytics:

  1. Log in to the Splunk User Behavior Analytics management node as the caspida user.
  2. On the management node, run the following command to stop Splunk User Behavior Analytics and all services:
    /opt/caspida/bin/Caspida stop-all
  3. On each other Splunk User Behavior Analytics node, log in as the caspida user and perform the following tasks:
    1. Run the following commands to check for any available security updates:
      sudo yum updateinfo list security all
      sudo yum updateinfo list sec
    2. Run the following command to resolve glibc package dependencies:
      sudo yum update glibc-devel
    3. Run the following command to update all packages with the available security updates:
      sudo yum update --security -y
      sudo yum --security update-minimal
    4. Reboot the system:
      sudo reboot
  4. On the management node, run the following command to start Splunk User Behavior Analytics and all services:
    /opt/caspida/bin/Caspida start-all

Next steps

These resources might help you understand and implement this guidance:

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at ondemand@splunk.com if you would like assistance.