Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
Splunk Enterprise must be configured to protect the log data stored in the indexes from alteration.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-251662 | SPLK-CL-000090 | SV-251662r960864_rule | Medium |
| Description |
|---|
| Without non-repudiation, it is impossible to positively attribute an action to an individual (or process acting on behalf of an individual). The records stored by Splunk Enterprise must be protected against alteration. A hash is one way of performing this function. The server must not allow the removal of identifiers or date/time, or it must severely restrict the ability to do so. |
| STIG | Date |
|---|---|
| Splunk Enterprise 8.x for Linux Security Technical Implementation Guide | 2024-06-10 |
Details
| Check Text ( C-55100r835281_chk ) |
|---|
| This check is performed on the machine used as an indexer, which may be a separate machine in a distributed environment. If the instance being reviewed is not used as an indexer, this check is N/A. Examine the configuration. Navigate to the $SPLUNK_HOME/etc/system/local/ directory. View the indexes.conf file. If the indexes.conf file does not exist, this is a finding. If the "enableDataIntegrityControl" is missing or is configured to 0 or false for each index, this is a finding. |
| Fix Text (F-55054r835282_fix) |
|---|
| If the indexes.conf file does not exist, copy the file from $SPLUNK_HOME/etc/system/default to the $SPLUNK_HOME/etc/system/local directory. Modify the following lines in the indexes.conf file under each index: enableDataIntegrityControl = 1 or True |