UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Splunk Enterprise must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to be assigned to the Power User role.


Overview

Finding ID Version Rule ID IA Controls Severity
V-221623 SPLK-CL-000270 SV-221623r992020_rule Low
Description
Without restricting which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
STIG Date
Splunk Enterprise 7.x for Windows Security Technical Implementation Guide 2024-06-10

Details

Check Text ( C-23338r992019_chk )
If using LDAP:
Select Settings >> Access Controls >> Authentication Method >> LDAP Settings >> Map Groups.
Obtain the group name mapped to the power user role.
Request from the LDAP administrator the group membership of this LDAP group, and compare to the list of individuals appointed by the ISSM.

If using SAML:
Select Settings >> Access Controls >> Authentication Method >> SAML Settings >> Map Groups.
Obtain the group name mapped to the power user role.
Request from the SAML administrator the group membership of this SAML group, and compare to the list of individuals appointed by the ISSM.

If users that are not defined by the ISSM as requiring elevated rights are present in the power user role membership, this is a finding.
Fix Text (F-23327r569412_fix)
Provide the list of individuals assigned by the ISSM to be members of the power user role to the LDAP/AD administrator or SAML Identity Provider administrator to add to the security group mapped to the power user role.