Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-251677 | SPLK-CL-000290 | SV-251677r835285_rule | Medium |
Description |
---|
Access to Splunk Enterprise for analysis, viewing, indexing functions, services, and applications, such as analysis tools and other vendor-provided applications, must be secured. Software used to perform additional functions, which resides on the server, must also be secured or could provide a vector for unauthorized access to the events repository. |
STIG | Date |
---|---|
Splunk Enterprise 8.x for Linux Security Technical Implementation Guide | 2022-06-07 |
Check Text ( C-55115r819098_chk ) |
---|
Execute a search query in Splunk using the following: index=_internal source=*metrics.log* group=tcpin_connections | dedup hostname | table _time hostname sourceIp destPort ssl Verify that the report returns ssl = true for every item listed. Navigate to $SPLUNK_HOME/etc/system/local/web.conf and verify the enableSplunkWebSSL is set to 1. If the report returns ssl = false for any item, and/or If enableSplunkWebSSL is not set, this is a finding. |
Fix Text (F-55069r835284_fix) |
---|
Edit the following files in the installation to configure Splunk to use SSL certificates: This configuration is performed on the machine used as an indexer, which may be a separate machine in a distributed environment. $SPLUNK_HOME/etc/system/local/inputs.conf [splunktcp-ssl:9997] disabled = 0 [SSL] serverCert = sslPassword = This configuration is performed on the machine used as a forwarder, which is always a separate machine regardless of environment. $SPLUNK_HOME/etc/system/local/outputs.conf [tcpout:group1] disabled = 0 clientCert = sslPassword = This configuration is performed on the machine used as a search head, which may be a separate machine in a distributed environment. Edit the following file in the installation to configure Splunk to use SSL certificates: $SPLUNK_HOME/etc/opt/system/local/web.conf [settings] enableSplunkWebSSL = 1 privKeyPath = serverCert = |