When Splunk Enterprise is distributed over multiple servers, each server must be configured to disable non-essential capabilities.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-251678 | SPLK-CL-000300 | SV-251678r808270_rule | Medium |
| Description |
|---|
| Applications are capable of providing a wide variety of functions and services. Some of the functions and services may not be necessary to support the configuration. This becomes more of an issue in distributed environments, where the application functions are spread out over multiple servers. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. |
| STIG | Date |
|---|---|
| Splunk Enterprise 8.x for Linux Security Technical Implementation Guide | 2022-06-07 |
Details
| Check Text ( C-55116r808268_chk ) |
|---|
| If the Splunk Installation is not distributed among multiple servers, this check is N/A. Select Settings >> Monitoring Console. In the Monitoring Console, select Settings >> General Setup. Check the Mode type. If set to Standalone, then this requirement is N/A, as all functions provided are necessary for operation. If Mode is set to Distributed, check that each instance is configured only with the server roles necessary for the implementation. If unused roles are configured, this is a finding. |
| Fix Text (F-55070r808269_fix) |
|---|
| If the Splunk Installation is not distributed among multiple servers, this fix is N/A. Select Settings >> Monitoring Console. In the Monitoring Console, select Settings >> General Setup. Set the Mode type based on the implementation design. If Mode is set to Distributed, set each instance only with the server roles necessary for the desired functions. |