UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Splunk Enterprise must be configured to protect the log data stored in the indexes from alteration.


Overview

Finding ID Version Rule ID IA Controls Severity
V-251662 SPLK-CL-000090 SV-251662r808222_rule Medium
Description
Without non-repudiation, it is impossible to positively attribute an action to an individual (or process acting on behalf of an individual). The records stored by Splunk Enterprise must be protected against alteration. A hash is one way of performing this function. The server must not allow the removal of identifiers or date/time, or it must severely restrict the ability to do so.
STIG Date
Splunk Enterprise 8.x for Linux Security Technical Implementation Guide 2021-11-30

Details

Check Text ( C-55100r808220_chk )
This check is performed on the machine used as an indexer, which may be a separate machine in a distributed environment.

If the instance being reviewed is not used as an indexer, this check is N/A.

Examine the configuration.

Navigate to the /etc/opt/splunk/system/local/ directory. View the indexes.conf file.

If the indexes.conf file does not exist, this is a finding.

If the "enableDataIntegrity" is missing or is configured to 0 or false for each index, this is a finding.
Fix Text (F-55054r808221_fix)
If the indexes.conf file does not exist, copy the file from /etc/opt/splunk/system/default to the /etc/opt/splunk/system/local directory.

Modify the following lines in the indexes.conf file under each index:

enableDataIntegrity = 1 or True