UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Splunk Enterprise must allow only the individuals appointed by the Information System Security Manager (ISSM) to have full admin rights to the system.


Overview

Finding ID Version Rule ID IA Controls Severity
V-251667 SPLK-CL-000140 SV-251667r879560_rule Low
Description
Without restricting which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
STIG Date
Splunk Enterprise 8.x for Linux Security Technical Implementation Guide 2023-06-09

Details

Check Text ( C-55105r808235_chk )
This check is applicable to the instance with the Search Head role, which may be a different instance in a distributed environment.

Select Settings >> Users.

If users have the admin role that are not defined by the ISSM as requiring admin rights, this is a finding.

LDAP Groups Check:

Select Settings >> Authentication Method >> LDAP Settings >> Map Groups.

Obtain the LDAP group name mapped to the admin role.

Request from the LDAP administrator the group membership of this LDAP group, and compare to the list of individuals appointed by the ISSM.

If users that are not defined by the ISSM as requiring admin rights are present in the admin role membership, this is a finding.
Fix Text (F-55059r808236_fix)
Provide the list of individuals assigned by the ISSM to be members of the admin role to the Splunk Enterprise administrator.

Provide the list of individuals assigned by the ISSM to be members of the admin role to the LDAP administrator to add to the LDAP group mapped to the admin role.

Create user accounts and assign the admin role for users provided in the lists.