UCF STIG Viewer Logo

Analysis, viewing, and indexing functions, services, and applications used as part of Splunk Enterprise must be configured to comply with DoD-trusted path and access requirements.


Overview

Finding ID Version Rule ID IA Controls Severity
V-251677 SPLK-CL-000290 SV-251677r835285_rule Medium
Description
Access to Splunk Enterprise for analysis, viewing, indexing functions, services, and applications, such as analysis tools and other vendor-provided applications, must be secured. Software used to perform additional functions, which resides on the server, must also be secured or could provide a vector for unauthorized access to the events repository.
STIG Date
Splunk Enterprise 8.x for Linux Security Technical Implementation Guide 2022-06-07

Details

Check Text ( C-55115r819098_chk )
Execute a search query in Splunk using the following:

index=_internal source=*metrics.log* group=tcpin_connections | dedup hostname | table _time hostname sourceIp destPort ssl

Verify that the report returns ssl = true for every item listed.

Navigate to $SPLUNK_HOME/etc/system/local/web.conf and verify the enableSplunkWebSSL is set to 1.

If the report returns ssl = false for any item, and/or If enableSplunkWebSSL is not set, this is a finding.
Fix Text (F-55069r835284_fix)
Edit the following files in the installation to configure Splunk to use SSL certificates:

This configuration is performed on the machine used as an indexer, which may be a separate machine in a distributed environment.

$SPLUNK_HOME/etc/system/local/inputs.conf

[splunktcp-ssl:9997]
disabled = 0

[SSL]
serverCert =
sslPassword =

This configuration is performed on the machine used as a forwarder, which is always a separate machine regardless of environment.

$SPLUNK_HOME/etc/system/local/outputs.conf

[tcpout:group1]
disabled = 0
clientCert =
sslPassword =

This configuration is performed on the machine used as a search head, which may be a separate machine in a distributed environment.

Edit the following file in the installation to configure Splunk to use SSL certificates:

$SPLUNK_HOME/etc/opt/system/local/web.conf

[settings]
enableSplunkWebSSL = 1
privKeyPath =
serverCert =