Splunk AppInspect check criteria
- Splunk AppInspect check criteria
- Alert actions structure and standards
- App.conf standards
- Addon_builder.conf standards
- Authentication.conf file standards
- Authorize.conf file standards
- Splunk Cloud Platform operations simple application check
- Configuration file standards
- Custom search command structure and standards
- Custom workflow actions structure and standards
- Data model files and configurations
- Directory structure standards
- Documentation standards
- Indexes.conf file standards
- JavaScript file standards
- JSON file standards
- Limits.conf file standards
- Lookup file standards
- Malware, viruses, malicious content, user security standards (dynamic checks)
- Malware, viruses, malicious content, user security standards (static checks)
- Meta file standards
- Modular inputs structure and standards
- Operating system standards
- Outputs.conf file standards
- Props Configuration file standards
- Python file standards
- REST endpoints and handler standards
- Saved search standards
- Security vulnerabilities
- Server configuration file standards
- Source code and binaries standards
- Splunk app packaging standards
- Splunk Packaging Toolkit (SLIM) validation (dynamic checks)
- Web.conf File Standards
- XML file standards
- jQuery standards
- JavaScript Usage
- Front-end libraries usage
- Victoria-specific config replication checks
- ITSI Modules validation
- Deprecated features from Splunk Enterprise 5.0
- Deprecated features from Splunk Enterprise 6.0
- Deprecated features from Splunk Enterprise 6.1
- Deprecated features from Splunk Enterprise 6.2
- Deprecated features from Splunk Enterprise 6.3
- Deprecated features from Splunk Enterprise 6.4
- Deprecated features from Splunk Enterprise 6.5
- Deprecated or removed features from Splunk Enterprise 6.6
- Deprecated features from Splunk Enterprise 7.1
- Deprecated features from Splunk Enterprise 7.2
- Deprecated features from Splunk Enterprise 7.3
- Deprecated features from Splunk Enterprise 8.0
- Universal Configuration Console standards
- SPL2-specific checks
- See also
Checks are the individual criterion against which Splunk apps are evaluated when they are submitted for Cloud vetting and Splunkbase validation.
For information about changes, see the Cloud Vetting Change Policy.
For the latest changes to Splunk AppInspect checks and tags, see What's new in Splunk AppInspect CLI .
Alert actions structure and standards
Custom alert actions are defined in an alert_actions.conf
file located in the /default directory of the app. For more, see Custom alert actions overview and alert_actions.conf.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_alert_actions_exe_exist | x | x | Check that each custom alert action has a valid executable. If it does, further check if the executable is Python script. If it does, further check it's Python 3 compatible. |
check_for_explicit_exe_args | x | x | Check whether any custom alert actions have executable arguments. |
check_for_payload_format | x | x | Check that each custom alert action's payload format has a value of xml or json . |
App.conf standards
The app.conf
file located at default/app.conf
provides key application information and branding. For more, see app.conf.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_for_trigger_stanza | x | x | Check that default/app.conf doesn't have reload.<CONF_FILE> , where CONF_FILE is a non-custom conf. (https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Appconf#.5Btriggers.5D) |
check_for_valid_package_id | x | x | Check that the [package] stanza in app.conf has a valid id value. See https://docs.splunk.com/Documentation/Splunk/latest/Admin/Appconf for details. |
check_for_valid_ui_label | x | x | Check that the default/app.conf or local/app.conf contains a label key value pair in the [ui] stanza and the length is between 5 and 80 characters inclusive. |
check_no_install_source_checksum | x | x | Check in default/app.conf , install_source_checksum /install_source_local_checksum not be set explicitly. |
check_ | x | x | Check that default/app.conf setting is_configured = False . |
check_ | x | x | Check that custom .conf files have a corresponding reload trigger in app.conf . Without a reload trigger the app will request a restart on any change to the .conf file, which may be a negative experience for end users. |
check_for_default_splunk_app | x | x | Check that id attribute under the package stanza in app.conf does not match with the Splunk default app names. |
check_for_updates_disabled | x | Check the [package] stanza in app.conf specifies check_for_updates as False for private apps. | |
check_custom_conf_replication | x | x | Check that custom .conf files have a a matching conf_replication_include.<conf_file_name> value in server.conf , under the [shclustering] stanza, to ensure that configurations are synchronized across search head clusters. |
check_ | x | x | Check in default/app.conf and local/app.conf , install_source_local_checksum not be set explicitly. |
Addon_builder.conf standards
The addon_builder.conf
file located at default/addon_builder.conf
provides the information about the Splunk Add-on Builder associated with the Splunk App. For more, see Add-on Builder.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_for_addon_builder_version | x | x | Check that the addon_builder.conf contains a Splunk Add-on Builder version number in the [base] stanza. Ensure that apps built with Add-on Builder are maintained with an up-to-date version of Add-on Builder. |
Authentication.conf file standards
Ensure that bindDNpassword
is not specified. For more, see authentication.conf
.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_ | x | x | Check that saml-* stanzas in authentication.conf do not turn off signedAssertion property |
check_ | x | x | Check that all the scripted authentications defined in authentication.conf are explicitly set the python.version to python3 . |
check_ | x | x | Check that all map roles defined in authentication.conf do not map to splunk-system-role . |
Authorize.conf file standards
Ensure that the authorize configuration file located in the /default folder is well-formed and valid. For more, see authorize.conf.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_ | x | x | Check that authorize.conf does not contain any modified capabilities. |
check_for_o11y_roles | x | x | Check that authorize.conf does not contain any O11y role stanzas. O11y role is one of o11y_admin , o11y_power , o11y_read_only or o11y_usage . |
check_ | x | x | Checks that authorize.conf has no capabilities starting with o11y_. |
check_authorize_conf_role_names | x | x | Checks that roles defined in authorize.conf match the specification. |
check_ | x | x | Check that authorize.conf does not contain [commands:user_configurable] stanza. This configuration can be used to disable nsjail , which is prohibited in Splunk Cloud. |
Splunk Cloud Platform operations simple application check
This group serves to help validate simple applications in an effort to try and automate the validation process for Splunk Cloud Platform operations.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_ | x | x | Check that commands referenced in the alert.execute.cmd property of all alert actions are checked for compliance with Splunk Cloud Platform security policy. |
check_audit_conf_deny_list | x | x | Check that app does not contain audit.conf , as it is prohibited in Splunk Cloud Platform due to its ability to configure/disable cryptographic signing and certificates. |
check_ | x | x | Check that authorize.conf does not grant excessive administrative permissions to the user. |
check_ | x | x | Check that authorize.conf does not contain a tokens_auth stanza |
check_ | x | x | Check that 'authorize.conf' does not contain importRoles and grantableRoles for any built-in roles. Modifying the inheritance of the default roles in Splunk can have potentially severe consequences, including privilege escalation. |
check_bookmarks_conf_deny_list | x | x | Check that app does not contain bookmarks.conf as this feature is not available in Splunk Cloud Platform. |
check_ | x | x | Check that custom search commands have an executable or script per stanza. |
check_datatypesbnf_conf_deny_list | x | x | Check that app does not contain datatypesbnf.conf , as it is prohibited in Splunk Cloud Platform. |
check_ | x | x | Check that directories under default/data/ui contain only allowed files |
check_default_mode_conf_deny_list | x | x | Check that app does not contain default-mode.conf is as it is prohibited in Splunk Cloud Platform due to the fact that Splunk light forwarders and Splunk universal forwarders are not run in Splunk Cloud Platform. |
check_deployment_conf_deny_list | x | x | Check that app does not contain deployment.conf . Apps should leave deployment configuration up to Splunk administrators. Also, deployment.conf has been removed and replaced by: 1) deploymentclient.conf - for configuring Deployment Clients 2) serverclass.conf - for Deployment Server server class configuration. |
check_ | x | x | Check that app does not contain deploymentclient.conf as it configures the deployment server client. Apps should leave deployment configuration up to Splunk administrators. |
check_ | x | x | Check if concerningReplicatedFileSize in distsearch.conf is larger than 50 MB. |
check_ | x | x | Check that all executable binary files have matching source code. For any binary files, there should be a source code provided with the same name. Or, there should be a decalaration of what the binary file is all about in the app's README. Details for passing this check will be returned if you fail it. |
check_for_index_volume_usage | x | x | Check that indexes.conf does not declare volumes. |
check_for_inputs_fifo_usage | x | x | Check the [fifo] stanza in inputs.conf is not pointing to a path within a Splunk Cloud Platform-replicated scope defined by distsearch.conf . [fifo] usually points to a file whose size may inflate. This kind of files must not be replicated across Splunk Cloud Platform environments since they will significantly consume network bandwidth. |
check_for_java | x | x | Check whether the app contains Java files. Java files will be inspected for compliance with Splunk Cloud Platform security policy. |
check_for_perl | x | x | Check if the app contains Perl scripts. Perl scripts will be inspected for compliance with Splunk Cloud Platform security policy. |
check_health_conf_deny_list | x | x | Check that app does not contain health.conf as sc_admin is not able to see or configure health report in Splunk Cloud Platform. |
check_ | x | x | Check that indexes defined in indexes.conf use relative paths starting with $SPLUNK_DB . |
check_ | x | x | Check that batch input has required attributes. The following key/value pairs are required for batch inputs: move_policy = sinkhole . |
check_inputs_conf_for_batch | x | x | Check that batch input accesses files in a permitted way. To be permissible, the batch input must meet the following criteria: 1) The file path needs to match a file in the directory $SPLUNK_HOME/var/spool/splunk/ 2) The file name needs to be application specific $SPLUNK_HOME/etc/apps/<my_app> 3) The file name should not end with "stash" or "stash_new". |
check_inputs_conf_for_fschange | x | x | Check that default/inputs.conf or local/inputs.conf does not contain an [fschange] stanza. |
check_ | x | x | Check that default/inputs.conf or local/inputs.conf does not contain an [http] stanza. |
check_ | x | x | Check that inputs.conf does not have any remote_queue inputs. |
check_inputs_conf_for_splunk_tcp | x | x | Check that default/inputs.conf or local/inputs.conf does not contain a [splunktcp] stanza. |
check_ | x | x | Check that default/inputs.conf or local/inputs.conf does not contain a [splunktcptoken] stanza. |
check_inputs_conf_for_ssl | x | x | Check that inputs.conf does not have any SSL inputs. |
check_for_outdated_ssl_tls | x | x | Connections using ssl3, tls1.0, tls1.1 are deprecated since Splunk 10.0 due to the OpenSSL dependency being updated to 3.0. Only valid TSL/SSL version is tls1.2. |
check_inputs_conf_for_tcp | x | x | Check that default/inputs.conf or local/inputs.conf does not contain a [tcp] stanza. |
check_inputs_conf_for_udp | x | x | Check that inputs.conf does not have any UDP inputs. |
check_instance_cfg_conf_deny_list | x | x | Check that app does not contain instance.cfg.conf . Apps should not configure server/instance specific settings. |
check_ | x | x | Check that app does not contain crawl.conf as it allows Splunk to introspect the filesystem which is not permitted in Splunk Cloud Platform. |
check_literals_conf_deny_list | x | x | Check that app does not contain literals.conf . Apps should not alter/override text strings displayed in Splunk Web. |
check_lookups_allow_list | x | x | Check that lookups/ contains only approved file types (CSV, CSV.DEFAULT, CSV.GZ, CSV.TGZ, KMZ) or files formatted as valid CSV. |
check_messages_conf_deny_list | x | x | Check that app does not contain messages.conf . Apps should not alter/override messages/externalized strings. |
check_metadata_allow_list | x | x | Check that the metadata/ directory only contains META files. |
check_ | x | x | Check that there is a script file in bin/ for each modular input defined in README/inputs.conf.spec . |
check_pubsub_conf_deny_list | x | x | Check that app does not contain pubsub.conf as it defines a custom client for the deployment server. Apps should leave deployment configuration up to Splunk administrators. |
check_ | x | x | Check the cmd path pattern of scripted input defined in inputs.conf . |
check_ | x | x | Check that python version is python3 for scripted inputs defined in inputs.conf . |
check_segmenters_conf_deny_list | x | x | Check that app does not contain segmenters.conf with Splunk stanza. A misconfigured segmenters.conf can result in unsearchable data that could only be addressed by re-indexing and segmenters.conf configuration is system-wide. |
check_serverclass_conf_deny_list | x | x | Check that app does not contain serverclass.conf as it defines deployment server classes for use with deployment server. Apps should leave deployment configuration up to Splunk administrators. |
check_ | x | x | Check that app does not contain serverclass.seed.xml.conf as it configures deploymentClient to seed a Splunk installation with applications at startup time. Apps should leave deployment configuration up to Splunk administrators. |
check_ | x | x | Check that app does not contain source-classifier.conf.conf as it configures system-wide settings for ignoring terms (such as sensitive data). |
check_sourcetypes_conf_deny_list | x | x | Check that app does not contain sourcetypes.conf as it is a machine-generated file that stores source type learning rules. props.conf should be used to define sourcetypes. |
check_splunk_launch_conf_deny_list | x | x | Check that app does not contain splunk-launch.conf as it defines environment values used at startup time. System-wide environment variables should be left up to Splunk administrators. |
check_stanza_of_authentication_conf | x | x | Check that only role-mapping stanza is allowed in authentication.conf as long as it doesn't map users to a cloud-internal role. |
check_ | x | x | Check that the static/ directory contains only known file types. |
check_telemetry_conf_deny_list | x | x | Check that app does not contain telemetry.conf as it controls a Splunk-internal feature that should not be configured by apps. |
check_ | x | x | Check that the app contains MS Windows-specific components, which will not function correctly in Splunk Cloud Platform whose OS should be Linux x64. |
check_ | x | x | Check that the app does not contain configurations of default source type in props.conf , which will overwrite the configurations of default source types in system/default/props.conf then it will affect other apps in Splunk Enterprise or Splunk Cloud Platform. |
check_ | x | x | Check that transforms.conf does not contain any transforms with malicious command scripts specified by external_cmd=<string> attribute, or does not contain a scripted lookup with Python 2 script. |
check_user_seed_conf_deny_list | x | x | Check that app does not contain user-seed.conf as it is used to preconfigure default login and password information. |
check_wmi_conf_deny_list | x | x | Check that app does not contain wmi.conf is as it is prohibited in Splunk Cloud Platform due to its ability to configure Splunk to ingest data via Windows Management Instrumentation, which should be done via forwarder. Forwarders are not permitted in Splunk Cloud Platform. |
check_workload_pools_conf_deny_list | x | x | Check that app does not contain workload_pools.conf in Splunk Cloud Platform. App should not modify workload categories/pools. It should be only controlled by Splunk Cloud Platform administrators. |
check_workload_rules_conf_deny_list | x | x | Check that app does not contain workload_rules.conf in Splunk Cloud Platform as it automatically trigger actions on running search processes. |
check_setup_xml | x | x | Check that setup.xml does not exist in the app default or local folders. |
check_for_shell | x | x | Check whether the app contains shell files. Shell files will be manually inspected for compliance with Splunk Cloud Platform security policy. |
check_inputs_conf_for_http_inputs | x | x | Apps cannot ship a configured HEC token in inputs.conf . HEC tokens must be created by stack admins via ACS. For more, see Use the HTTP Event Collector. |
check_java_sdk_version | x | x | Check that Splunk SDK for Java is up-to-date. |
check_passwords_conf_deny_list | x | x | Secrets in passwords.conf are either plain text, which is not allowed, or encrypted using host-specific splunk.secret. Pre-encrypted secrets will not work in Splunk Cloud Platform. |
check_runshellscript_command | x | x | Check that runshellscript command is not used. This command is considered risky because, if used incorrectly, it can pose a security risk or potentially lose data when it runs. |
Configuration file standards
Ensure that all configuration files located in the /default folder are well formed and valid.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_ | x | x | Check that the filed.<name> type in collections.conf does not include boolean . Use bool instead. |
check_config_file_parsing | x | Check that all config files parse cleanly- no trailing whitespace after continuations, no duplicated stanzas or options. | |
check_config_file_parsing_public | x | x | Check that all config files parse cleanly- no trailing whitespace after continuations, no duplicated stanzas or options. |
check_ | x | x | Check that app conf files do not point to files outside the app container. Because hard-coded paths won't work in Splunk Cloud Platform, absolute paths are not allowed. |
check_no_default_stanzas | x | x | Check that app does not contain any .conf files that create global definitions using the [default] stanza. |
Custom search command structure and standards
Custom search commands are defined in a commands.conf
file in the /default directory of the app. For more, see About writing custom search commands and commands.conf
.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_ | x | x | Check that commands.conf must explicitly define the python.version to be python3 for each Python-scripted custom command. |
Custom workflow actions structure and standards
Custom workflow actions are defined in a workflow_actions.conf file in the /default directory of the app. For more, see About lookups and workflow_actions.conf
.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_ | x | x | Check that for each workflow action in workflow_actions.conf the link.uri property uses the https protocol for external links. Unencrypted http is permitted for internal links. |
Data model files and configurations
Data models are defined in a datamodels.conf file in the /default directory of the app. For more, see About data models and datamodels.conf.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_for_datamodel_acceleration | x | x | Check that the use of accelerated data models do not occur. If data model acceleration is required, developers should provide directions in documentation for how to accelerate data models from within the Splunk Web GUI. For more, see data model acceleration. |
Directory structure standards
Ensure that the directories and files in the app adhere to hierarchy standards.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_filenames_for_spaces | x | x | Check that app has no .conf or dashboard filenames that contain spaces. Splunk software does not support such files. |
check_for_local_meta | x | x | Check that the file local.meta does not exist. All metadata permissions should be set in default.meta . |
check_that_app_name_config_is_valid | x | x | Check that the app name does not start with digits |
check_that_local_does_not_exist | x | x | Check that the /local directory does not exist. All configuration should be in the /default directory. |
check_ | x | x | Check that local/passwords.conf does not exist. Password files are not transferable between instances. |
Documentation standards
Documentation standards.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_for_git_merge_conflict_in_app | x | x | Check no Git merge conflicts are present in the code. |
Indexes.conf file standards
Ensure that the index configuration file located in the /default folder is well formed and valid. For more, see indexes.conf.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_ | x | x | Check that all the coldToFrozenScript in indexes.conf have explicitly set the python.version to python3 . |
check_indexes_conf_properties | x | x | Check that indexes.conf only contains the required homePath , coldPath , and thawedPath properties or the optional frozenTimePeriodInSecs , disabled , datatype and repFactor properties. All other properties are prohibited. This check is Splunk Cloud Platform-only because indexes are not allowed via check_indexes_conf_does_not_exist . |
check_lower_cased_index_names | x | x | Check that all index names consist only of lowercase characters, numbers, underscores and hyphens. They cannot begin with an underscore or hyphen, or contain the word "kvstore". |
check_ | x | x | Check that no default Splunk indexes are modified by the app. |
JavaScript file standards
JavaScript file standards.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_for_stored_xss_in_javascript | x | x | Check if possible stored XSS in JavaScript |
check_ | x | x | Check for usages of telemetry metrics in JavaScript. |
check_ | x | x | Check if the app contains udp communication in JavaScript files. |
check_ | x | x | Check if any weak encryption in JavaScript. |
check_ | x | x | Check that app does not use REST endpoint to collect and send telemetry data. |
JSON file standards
JSON file standards.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_ | x | x | Check that all JSON files are well-formed. |
Limits.conf file standards
Ensure that /default/limits.conf file is omitted.When included in the app, the limits.conf file changes the limits that are placed on the system for hardware use and memory consumption, which is a task that should be handled by Splunk administrators and not by Splunk app developers. For more, see limits.conf.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_limits_conf | x | x | Check that default/limits.conf or local/limits.conf have not been included. |
check_ | x | Check that limits.conf does not contains any settings other than the password masking. |
Lookup file standards
Lookups add fields from an external source to events based on the values of fields that are already present in those events.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_for_lookups_file_name | x | x | Check that no two files/directories under the lookups directory have this naming pattern respectively: xxx and xxx.default - with the only difference in the .default extension. During the installation of an app in Splunk Cloud Platform, a lookup file will be temporarily renamed to append an additional .default extension to it, which will cause error if a namesake file already exists. |
Malware, viruses, malicious content, user security standards (dynamic checks)
Malware, viruses, malicious content, user security standards (dynamic checks).
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_for_viruses | x | x | Check that the app does not include viruses. |
Dynamic checks are performed only when you use the Splunk AppInspect API to vet your app, not by using the Splunk AppInspect CLI.
Malware, viruses, malicious content, user security standards (static checks)
Malware, viruses, malicious content, user security standards (static checks).
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_hostnames_and_ips | x | x | Check that no sensitive hostnames/IPs are stored in the app. |
Meta file standards
Ensure that all meta files located in the /metadata folder are well formed and valid.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_kos_are_accessible | x | x | Check that knowledge objects with access control restrictions defined in META files are accessible to customers in Splunk Cloud Platform. |
check_meta_default_write_access | x | x | Check that the global write access in .meta does not allow any authenticated user to write to the knowledge objects under the application. |
check_reload_trigger_for_meta | x | x | Check that stanzas in .meta describing custom config files have corresponding reload triggers in app.conf. Without a reload trigger the app will request a restart on any change to the config file or a corresponding stanza, which may be a negative experience for end-users. |
Modular inputs structure and standards
Modular inputs are configured in an inputs.conf.spec file located in the /README directory of the app. For more, see Modular inputs overview, Modular inputs configuration, and Modular inputs examples.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_ | x | x | Check that all the modular inputs defined in inputs.conf.spec have explicitly set the python.version to python3 . |
Operating system standards
Operating system standards
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_destructive_commands | x | x | Check for the use of malicious shell commands in configuration files or shell scripts to corrupt the OS or Splunk instance. Other scripting languages are covered by other checks. |
Outputs.conf file standards
Ensure that the outputs.conf file located in the /default folder of the app is well formed and valid. For more, see outputs.conf.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_if_outputs_conf_exists | x | x | Check that forwarding enabled in outputs.conf is failed in Splunk Cloud Platform. |
Props Configuration file standards
Ensure that all props.conf
files located in the default (or local) folder are well-formed and valid. For more, see props.conf and transforms.conf.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_ | x | x | Check that pretrained sourcetypes in props.conf have only TRANSFORM- or SEDCMD settings, and that those transforms only modify the host, source, or sourcetype. |
check_ | x | x | Check that the props.conf does not contain lookup() usage in INGEST_EVAL options. This feature is not available in Splunk Cloud. |
check_ | x | x | Check that the sourcetypes in props.conf do not contain any prohibited characters. Special characters <>?&# are not allowed. |
check_ | x | x | Check that props.conf does not contain unarchive_cmd settings with invalid_cause set to archive . |
Python file standards
Python file standards.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_ | x | x | Check all python files are well formed under python2 and python3 standard |
check_for_builtin_functions | x | x | Check for built in functions(open , eval , execfile , file ) usages in Python files. |
check_for_compiled_python | x | x | Check that there are no PYC or PYO files included in the app. |
check_ | x | x | Check if custom Python interpreters could be used in malicious code execution. |
check_ | x | x | Check if data compression and archiving libraries could be used to read and write files outside of app directory. |
check_for_debugging_and_profiling | x | x | Check if debugging library could be used to execute arbitrary commands. |
check_for_file_and_directory_access | x | x | Check for possible file and directory access, they could be used in external file manipulation. |
check_for_hidden_python_files | x | x | Check that there are no hidden Python files included in the app. |
check_ | x | x | Check for operating system features that are available on selected operating systems only. |
check_for_possible_threading | x | x | Check for the use of threading, and multiprocesses. Threading or process must be used with discretion and not negatively affect the Splunk installation as a whole. |
check_for_program_frameworks | x | x | Check if program frameworks could be used to interface with web part. |
check_ | x | x | Check if multimedia services module could be used to execute unknown-source multimedia files. |
check_ | x | x | Check for UDP network communication. |
check_for_restricted_execution | x | x | Check if restricted execution exist in current app. |
check_ | x | x | Check if possible reverse shell exist in Python code. |
check_for_root_privilege_escalation | x | x | Check possible root privilege escalation. |
check_ | x | x | Check for untrusted XML usages in Python libraries. |
check_python_sdk_version | x | x | Check that Splunk SDK for Python is up-to-date. |
check_python_httplib2_version | x | x | Check Python httplib2 version. |
check_prohibited_python_filenames | x | x | Check that builtin modules are not overridden. |
REST endpoints and handler standards
REST endpoints are defined in a restmap.conf file in the /default directory of the app. For more, see restmap.conf.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_ | x | x | Check that Python version is python3 for executables in restmap.conf . |
check_ | x | x | Check that each stanza in restmap.conf has a matching handler script. If not, throw a warning. |
check_restmap_conf_exists | x | x | Check that restmap.conf file exists at default/restmap.conf and local/restmap.conf when using REST endpoints. |
Saved search standards
Saved searches are defined in a savedsearches.conf file located in the /default directory of the app. For more, see Save and share your reports and savedsearches.conf.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_ | x | x | Check that default/savedsearches.conf searches are cron scheduled reasonably. Less than five asterisks should be used. |
check_ | x | x | Check that no real-time pre-index saved searches are being used in savedsearches.conf . Real-time pre-index saved searches are extremely system intensive and should be avoided. |
check_ | x | x | Check that if a scheduled saved search in savedsearch.conf contains dispatch.earliest_time option, or if a scheduled saved search with auto summary enabled contains auto_summarize.dispatch.earliest_time option. |
check_ | x | x | Check that if a savedsearch.conf stanza contains scheduling options it does contain a dispatch.latest_time . |
check_ | x | x | Check that savedsearch.conf stanzas do not contain action.script.filename option. |
check_ | x | x | Check that savedsearch.conf stanzas do not contain action.populate_lookup option. |
Security vulnerabilities
Security vulnerabilities
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_ | x | x | Check for environment variable manipulation and attempts to monitor sensitive environment variables. |
check_ | x | x | Check for insecure HTTP calls in Python for cloud tag. |
check_for_sensitive_info_in_url | x | x | Check for sensitive information being exposed in transit via URL query string parameters. |
check_symlink_outside_app | x | x | Check no symlink points to the file outside this app. |
check_for_supported_tls_private | x | Check that all outgoing connections use TLS in accordance to Splunk Cloud Platform policy for private tags. | |
check_for_supported_tls | x | x | Check that all outgoing connections use TLS in accordance to Splunk Cloud Platform policy for cloud tag. |
check_for_camel_jars | x | x | Check for vulnerable Apache Camel dependencies. |
Server configuration file standards
Ensure that server.conf is well formed and valid.For detailed information about the server configuration file, see server.conf.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_ | x | x | Check that server.conf in an app is only allowed to contain: 1) conf_replication_include.<custom_conf_files> in [shclustering] stanza 2) or EXCLUDE-\<class\> property in [diag] stanza. |
Source code and binaries standards
Source code and binaries standards.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_for_bin_files | x | x | Check that files outside of the bin and appserver/controllers directory do not have execute permissions and are not EXE files. On Unix platform, Splunk recommends 644 for all app files outside of the bin directory, 644 for scripts within the bin directory that are invoked using an interpreter (e.g. python my_script.py or sh my_script.sh ), and 755 for scripts within the bin directory that are invoked directly (e.g. ./my_script.sh or ./my_script ). On Windows platform, Splunk recommends removing user's FILE_GENERIC_EXECUTE for all app files outside of the bin directory except users in ['Administrators', 'SYSTEM', 'Authenticated Users', 'Administrator']. |
check_idx_binary_compatibility | x | x | Checks that binaries that are distributed to the IDX tier of a distributed Splunk platform deployment are compatible with aarch64. |
check_aarch64_compatibility | x | Check that every binary file is compatible with AArch64. |
Splunk app packaging standards
These checks validate that a Splunk app has been correctly packaged, and can be provided safely for package validation.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_requires_adobe_flash | x | x | Check that the app does not use Adobe Flash files. |
check_package_compression | x | x | Check that the package is compressed correctly. |
check_ | x | x | Check that the extracted Splunk app contains a default/app.conf file. |
check_ | x | x | Check that the extracted Splunk app does not contain any files with incorrect permissions. Files must have the owner's permissions include read and write (600). |
check_ | x | x | Check that the extracted Splunk app does not contain any directories with incorrect permissions. Directories and sub directories must have the owner's permissions set to r/w/x (700). |
check_ | x | x | Check that the extracted Splunk app does not contain any directories or files that start with a . , or directories that start with __MACOSX . |
check_ | x | x | Check that the Splunk app package does not contain any non-app files. Files within a valid app folder or valid dependencies within a .dependencies folder are permitted, all other files are not. |
check_ | x | x | Check that the compressed artifact extracts to a directory that does not start with a . character. |
check_ | x | x | Check that the Splunk app provided does not contain incorrect permissions. Packages must have have the owner's read permission set to r (400). |
check_ | x | x | Check that the Splunk app package contains only valid dependencies. Dependencies are valid if a .dependencies directory contains only valid app packages inside. |
check_ | x | x | Check that the Splunk app provided does not start with a . character. |
check_ | x | x | Check that the Splunk app provided a valid compressed file. |
check_ | x | x | Check that the Splunk app package with a .dependencies directory also contains an app folder with an app.manifest. |
check_ | x | x | Check that the Splunk app package with a .dependencies directory also contains exactly one valid app folder. |
check_ | x | x | Check that the extracted Splunk app does not contains only app.conf |
check_valid_version_number | x | x | Check that the extracted Splunk app contains a default/app.conf file that contains an [id] or [launcher] stanza with a version property that is formatted as Major.Minor.Revision . |
check_version_is_valid_semver | x | x | Check that the extracted Splunk app contains a default/app.conf file that contains an [id] or [launcher] stanza with a version property that is formatted as Semantic Versioning 2.0.0. |
check_ | x | x | Check that the provided app package is not ZIP type for SSAI purpose |
Splunk Packaging Toolkit (SLIM) validation (dynamic checks)
This group uses slim to extend the cloud
checks for improved auto-vetting.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_for_modular_inputs | x | x | Check that inputs.conf.spec does not include modular inputs that perform management tasks. |
check_for_nested_apps | x | x | Check that nested apps do not exist as they are not valid for self-service install. |
check_for_nested_archives | x | x | Check that nested archives do not exist as they are not valid for self-service install. |
check_for_scripted_inputs | x | x | Check that inputs.conf does not include scripted inputs that perform management tasks. |
check_ | x | Check that apps with app.manifest are valid or apps without an app.manifest can generate one. | |
check_ | x | x | Check that apps with app.manifest are valid or apps without an app.manifest can generate one. |
Dynamic checks are performed only when you use the Splunk AppInspect API to vet your app, not by using the Splunk AppInspect CLI.
Web.conf File Standards
Ensure that web.conf
is safe for Splunk Cloud Platform deployment and that any exposedpatterns match endpoints defined by the app - apps should not expose endpointsother than their own. Including web.conf
can have adverse impacts for Splunk Cloud Platform. Allow only[endpoint:*]
and [expose:*]
stanzas, with expose only containing pattern=
and methods=
properties.For more, see web.conf.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_web_conf | x | x | Check that web.conf only defines [endpoint:*] and [expose:*] stanzas, with [expose:*] only containing pattern= and methods= . |
check_cherrypy_controllers | x | x | Check that web.conf does not contain any custom CherryPy controllers. |
XML file standards
XML file standards.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_ | x | x | Check that all XML files are well-formed. |
jQuery standards
jQuery standards.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_simplexml_standards_version | x | x | Check that the dashboards in your app have a valid version attribute. |
check_ | x | x | Check that the app files are not importing files directly from the search head. |
check_html_dashboards | x | x | Check for HTML dashboards, which are deprecated. |
JavaScript Usage
JavaScript Usage.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_ | x | x | Detect usage of JavaScript libraries with known vulnerabilities. |
Front-end libraries usage
Front-end libraries usage.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_for_splunk_js | x | x | Check that SplunkJS is being used. |
check_for_splunk_sui | x | x | Check that SUI is being used. |
check_ | x | x | Check for usage of utility components. |
check_for_splunk_visualizations | x | x | Check that @splunk/visualizations is being used. |
check_for_splunk_dashboard_core | x | x | Check that @splunk/dashboard-core is being used. |
Victoria-specific config replication checks
This group includes checks for configs which may not be replicated to indexers as expected in Splunk Cloud Platform, Victoria experience.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_for_indexer_synced_configs | x | Check that the app does not contain configs which might be intended for indexers, but won't be synced on Victoria. | |
check_ | x | Check that the specified location of datetime.xml is not from the local folder. |
ITSI Modules validation
This group includes checks for validating ITSI module usage.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_for_itsi_modules | x | x | Check that the app does not contain an ITSI module. |
Deprecated features from Splunk Enterprise 5.0
The following features should not be supported in Splunk 5.0 or later.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_ | x | x | Check that app does not use findtypes command. This command was for eventtype auto-discovering, which is deprecated in Splunk 5.0. |
check_ | x | x | Check that saved searches are not used within event types. |
Deprecated features from Splunk Enterprise 6.0
The following features should not be supported in Splunk 6.0 or later.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_crawl_conf_deny_list | x | x | Check that app does not contain crawl.conf as it was deprecated and removed from Splunk software. |
check_for_viewstates_conf | x | x | Check that default/viewstates.conf does not exist in the app. |
Deprecated features from Splunk Enterprise 6.1
The following features should not be supported in Splunk 6.1 or later.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_ | x | x | Check that deprecated datamodel/acceleration is not used. |
Deprecated features from Splunk Enterprise 6.2
The following features should not be supported in Splunk 6.2 or later.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_ | x | x | Check Dashboard XML files for <list> element. <list> was deprecated in Splunk 6.2 and removed in Splunk 6.5. |
check_ | x | x | Check for the deprecated <earliestTime> and <latestTime> elements in dashboard XML files. As of version 6.2 these elements are replaced by <earliest> and <latest> elements. |
check_ | x | x | Check for the deprecated <populatingSearch> and <populatingSavedSearch> elements in dashboard XML files. Use the <search> element instead. |
check_for_simple_xml_row_grouping | x | x | Check for the deprecated grouping attribute of row node in Simple XML files. Use the <panel> node instead. |
Deprecated features from Splunk Enterprise 6.3
These following features should not be supported in Splunk 6.3 or later.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_for_django_bindings | x | x | Check for use of Django bindings. |
check_for_run_script_alert_action | x | x | Check for use of running a script in alert action. |
check_ | x | x | Check for Simple XML <chart> panels with deprecated options charting.axisLabelsY.majorTickSize or charting.axisLabelsY.majorLabelVisibility . |
check_ | x | x | Check for the deprecated <option name='previewResults'> in Simple XML files. |
check_ | x | x | Check for the deprecated <searchTemplate> , <searchString> , <searchName> , and <searchPostProcess> element in Simple XML files. Use the <search> element instead. |
check_for_simple_xml_seed_element | x | x | Check for the deprecated <seed> option in Simple XML forms. Use the <initialValue> element instead. |
Deprecated features from Splunk Enterprise 6.4
The following features should not be supported in Splunk 6.4 or later.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_for_noninteger_height_option | x | x | Check that <option name="height"> uses an integer for the value. Do not use <option name="height">[value]px</option> . |
check_ | x | x | Check Simple XML files for <single> panels with deprecated options additionalClass , afterLabel , beforeLabel , classField , linkFields , linkSearch , linkView . |
check_for_splunk_js_d3chartview | x | x | Checks that views are not importing d3chartview . |
check_for_splunk_js_googlemapsview | x | x | Checks that views are not importing googlemapsview . |
check_ | x | x | Check that a web.conf does not use the property simple_xml_force_flash_charting . |
check_ | x | x | Check that web.conf does not use the simple_xml_module_render property. |
Deprecated features from Splunk Enterprise 6.5
The following features should not be supported in Splunk 6.5 or later.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_ | x | x | Check Dashboard XML files for <option> element with the deprecated option value "refresh.auto.interval" i.e. <option name="refresh.auto.interval"> . |
check_ | x | x | Checks that views are not importing splunkjs/mvc/headerview or splunkjs/mvc/footerrview . These are replaced by LayoutView in Splunk 6.5. LayoutView is not backwards compatible to Splunk 6.4 or earlier. Only use LayoutView if you are only targeting Splunk 6.5 or above. |
Deprecated or removed features from Splunk Enterprise 6.6
The following features should not be supported in Splunk 6.6 or later.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_for_app_install_endpoint | x | x | Check apps/appinstall usages. |
check_ | x | x | Check removed support for setting autoLB in outputs.conf . |
check_ | x | x | Check existence for displayRowNumbers option in simple XML. This option is no longer supported since Splunk 6.6. |
Deprecated features from Splunk Enterprise 7.1
The following features should not be supported in Splunk 7.1 or later. For more, see Deprecated features and Changes for Splunk app developers.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_for_input_command_usage | x | x | Check deprecated input command usage. |
Deprecated features from Splunk Enterprise 7.2
The following features should not be supported in Splunk 7.2 or later. For more, see Deprecated features and Changes for Splunk app developers.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_for_deprecated_literals_conf | x | x | Check deprecated literals.conf existence. |
Deprecated features from Splunk Enterprise 7.3
The following features should not be supported in Splunk 7.3 or later. For more, see Deprecated features and Changes for Splunk app developers.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_for_tscollect_command_usage | x | x | Check deprecated tscollect command usage. |
Deprecated features from Splunk Enterprise 8.0
The following features should not be supported in Splunk 8.0.0 or later. For more, see Deprecated features and Changes for Splunk app developers.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_ | x | x | Check that there is no Advanced XML, which was deprecated in Splunk Enterprise 6.3. |
check_ | x | x | Check for the existence of custom CherryPy endpoints, which must be upgraded to be Python 3-compatible for the Splunk Enterprise 8.0. |
check_ | x | x | Check for the existence of Python code block in Mako templates, which must be upgraded to be Python 3-compatible for the Splunk Enterprise 8.0. |
check_for_python_script_existence | x | x | Check for the existence of Python scripts, which must be upgraded to be cross-compatible with Python 2 and 3 for Splunk Enterprise 8.0. |
check_for_removed_m2crypto_usage | x | x | Check for the existence of the M2Crypto package usage, which is removed in the Splunk Enterprise 8.0. |
Universal Configuration Console standards
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_for_ucc_framework_version | x | x | Check UCC framework version. |
SPL2-specific checks
This group includes checks for validating SPL2 files.
Check Name | splunk_appinspect | cloud | Description |
---|---|---|---|
check_run_as_owner | x | x | Check that no SPL2 modules have @run_as_owner; annotation enabled. |
check_spl2_usage | x | x | Check if the app contains any SPL2 code. |