Splunk Enterprise must only allow the use of DoD-approved certificate authorities for cryptographic functions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-251690 | SPLK-CL-000450 | SV-251690r808306_rule | Medium |
| Description |
|---|
| Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established. The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority. Splunk Enterprise contains built-in certificates that are common across all Splunk installations, and are for initial deployment. These should not be used in any production environment. It is also recommended that the production certificates be stored in another location away from the Splunk default certificates, as that folder gets replaced on any upgrade of the application. An example would be to use a folder named /etc/system/DoDcerts under the Splunk installation root folder. |
| STIG | Date |
|---|---|
| Splunk Enterprise 8.x for Linux Security Technical Implementation Guide | 2022-06-07 |
Details
| Check Text ( C-55128r808304_chk ) |
|---|
| On the host OS of the server, verify the properties of the certificate used by Splunk to ensure that the Issuer is the DoD trusted CA. This can be verified by the command: openssl x509 -text -inform PEM -in If the certificate issuer is not a DoD trusted CA, then this is a finding. |
| Fix Text (F-55082r808305_fix) |
|---|
| Request a DoD-approved certificate and a copy of the DoD root CA public certificate, and place the files in a location for Splunk use. Configure the certificate files to the PEM format, using the Splunk Enterprise system documentation. |