Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
Splunk Enterprise must be configured to protect the log data stored in the indexes from alteration.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-221613 | SPLK-CL-000160 | SV-221613r960864_rule | Medium |
| Description |
|---|
| Without non-repudiation, it is impossible to positively attribute an action to an individual (or process acting on behalf of an individual). The records stored by Splunk Enterprise must be protected against alteration. A hash is one way of performing this function. The server must not allow the removal of identifiers or date/time, or it must severely restrict the ability to do so. |
| STIG | Date |
|---|---|
| Splunk Enterprise 7.x for Windows Security Technical Implementation Guide | 2024-06-10 |
Details
| Check Text ( C-23328r416296_chk ) |
|---|
| If the server being reviewed does not store index data, this check is N/A. Check the following file in the installation folder: $SPLUNK_HOME/etc/system/local/indexes.conf Verify that each organization-defined index stanza in brackets [ ] has the following line added: enableDataIntegrityControl=true If this line is missing or is set to false, this is a finding. |
| Fix Text (F-23317r416297_fix) |
|---|
| If the server does not store index data, this fix is N/A. Edit the following file in the installation folder: $SPLUNK_HOME/etc/system/local/indexes.conf Add the following line to each organization-defined index stanza in brackets [ ]: enableDataIntegrityControl=true |