Splunk Enterprise must use organization-level authentication to uniquely identify and authenticate users.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-251679 | SPLK-CL-000320 | SV-251679r819103_rule | High |
| Description |
|---|
| To assure accountability and prevent unauthenticated access, organizational users must be uniquely identified and authenticated to prevent potential misuse and compromise of the system. Sharing of accounts prevents accountability and non-repudiation. Organizational users must be uniquely identified and authenticated for all accesses. |
| STIG | Date |
|---|---|
| Splunk Enterprise 8.x for Linux Security Technical Implementation Guide | 2022-06-07 |
Details
| Check Text ( C-55117r819101_chk ) |
|---|
| This check is performed on the machine used as a search head or a deployment server, which may be a separate machine in a distributed environment. Navigate to the $SPLUNK_HOME/etc/system/local/ directory. View the authentication.conf file. If the authentication.conf file does not exist, this is a finding. In the authentication.conf file, verify minimum settings similar to the example below. If any minimum settings are not configured, this is a finding. If using LDAP: [authentication] authType = LDAP authSettings = [ host = port = sslEnabled = 1 Check the following file in the $SPLUNK_HOME/etc/openldap folder: ldap.conf If the file does not exist, this is a finding. Check for the following lines. If any are missing or do not match the settings below, this is a finding. TLS_REQCERT TLS_CACERT TLS_PROTOCOL_MIN 3.3 TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM- SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- AES128-SHA256:ECDHE-RSA-AES128-SHA256 If using SAML: [authentication] authType = SAML authSettings = [ entityId = idpSSOUrl = idpCertPath = Open the Splunk Web console. Select Settings >> Access Controls >> Users. Verify that no user accounts exist with Authentication system set to Splunk except an account of last resort. They must all be set to LDAP or SAML. If any user accounts have Authentication system set to Splunk, with the exception of one emergency account of last resort, this is a finding. |
| Fix Text (F-55071r819102_fix) |
|---|
| This configuration is performed on the machine used as a search head or a deployment server, which may be a separate machine in a distributed environment. Navigate to the $SPLUNK_HOME/etc/system/local/ directory. Edit the authentication.conf file. If the authentication.conf file does not exist, copy the file from $SPLUNK_HOME/etc/system/default to the $SPLUNK_HOME/etc/system/local directory. Configure minimum settings similar to the example below for using LDAP or SAML. If using LDAP: [authentication] authType = LDAP authSettings = [ host = port = sslEnabled = 1 Edit the following file in the $SPLUNK_HOME/etc/openldap folder: ldap.conf Configure the following lines for your certificate. TLS_REQCERT TLS_CACERT TLS_PROTOCOL_MIN 3.3 TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM- SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- AES128-SHA256:ECDHE-RSA-AES128-SHA256 If using SAML: [authentication] authType = SAML authSettings = [ entityId = idpSSOUrl = idpCertPath = After configuring LDAP or SAML, open the Splunk Web console. Select Settings >> Access Controls >> Users. Create appropriate LDAP and SAML users and groups for the environment. Delete any user account with Authentication system set to Splunk, with the exception of one emergency account of last resort. Splunk will prevent the user from deleting an LDAP or SAML account. |