Splunk Enterprise must have all local user accounts removed after implementing organizational level user management system, except for one emergency account of last resort.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-221602	SPLK-CL-000030	SV-221602r960969_rule		High

Description
User accounts should use an organizational level authentication mechanism such as SAML, LDAP, AD, etc., to provide centralized management. The use of local accounts should be discouraged, except for an emergency account of last resort. The use of local accounts instead of organizational level accounts creates a risk where accounts are not properly disabled or deleted when users depart or their roles change.

Description

User accounts should use an organizational level authentication mechanism such as SAML, LDAP, AD, etc., to provide centralized management. The use of local accounts should be discouraged, except for an emergency account of last resort. The use of local accounts instead of organizational level accounts creates a risk where accounts are not properly disabled or deleted when users depart or their roles change.

STIG	Date
Splunk Enterprise 7.x for Windows Security Technical Implementation Guide	2024-06-10

Details

Check Text ( C-23317r416263_chk )
Select Settings >> Access Controls >> Users. Verify that no user accounts exist with Authentication system set to Splunk except an account of last resort. They should all be set to LDAP or SAML. If any user accounts have Authentication system set to Splunk, with the exception of one emergency account of last resort, this is a finding.

Fix Text (F-23306r416264_fix)
Select Settings >> Access Controls >> Users. Delete any user account with Authentication system set to Splunk, with the exception of one emergency account of last resort. Splunk will prevent the user from deleting an LDAP account.