UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

When Splunk Enterprise is distributed over multiple servers, each server must be configured to disable non-essential capabilities.


Overview

Finding ID Version Rule ID IA Controls Severity
V-251678 SPLK-CL-000300 SV-251678r808270_rule Medium
Description
Applications are capable of providing a wide variety of functions and services. Some of the functions and services may not be necessary to support the configuration. This becomes more of an issue in distributed environments, where the application functions are spread out over multiple servers. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
STIG Date
Splunk Enterprise 8.x for Linux Security Technical Implementation Guide 2022-06-07

Details

Check Text ( C-55116r808268_chk )
If the Splunk Installation is not distributed among multiple servers, this check is N/A.

Select Settings >> Monitoring Console.

In the Monitoring Console, select Settings >> General Setup.

Check the Mode type.

If set to Standalone, then this requirement is N/A, as all functions provided are necessary for operation.

If Mode is set to Distributed, check that each instance is configured only with the server roles necessary for the implementation.

If unused roles are configured, this is a finding.
Fix Text (F-55070r808269_fix)
If the Splunk Installation is not distributed among multiple servers, this fix is N/A.

Select Settings >> Monitoring Console.

In the Monitoring Console, select Settings >> General Setup.

Set the Mode type based on the implementation design.

If Mode is set to Distributed, set each instance only with the server roles necessary for the desired functions.