Analysis, viewing, and indexing functions, services, and applications used as part of Splunk Enterprise must be configured to comply with DoD-trusted path and access requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-251677	SPLK-CL-000290	SV-251677r961863_rule		Medium

Description
Access to Splunk Enterprise for analysis, viewing, indexing functions, services, and applications, such as analysis tools and other vendor-provided applications, must be secured. Software used to perform additional functions, which resides on the server, must also be secured or could provide a vector for unauthorized access to the events repository.

STIG	Date
Splunk Enterprise 8.x for Linux Security Technical Implementation Guide	2024-06-10

Details

Check Text ( C-55115r819098_chk )
Execute a search query in Splunk using the following: index=_internal source=metrics.log group=tcpin_connections \| dedup hostname \| table _time hostname sourceIp destPort ssl Verify that the report returns ssl = true for every item listed. Navigate to $SPLUNK_HOME/etc/system/local/web.conf and verify the enableSplunkWebSSL is set to 1. If the report returns ssl = false for any item, and/or If enableSplunkWebSSL is not set, this is a finding.

Check Text ( C-55115r819098_chk )

Execute a search query in Splunk using the following:

index=_internal source=*metrics.log* group=tcpin_connections | dedup hostname | table _time hostname sourceIp destPort ssl

Verify that the report returns ssl = true for every item listed.

Navigate to $SPLUNK_HOME/etc/system/local/web.conf and verify the enableSplunkWebSSL is set to 1.

If the report returns ssl = false for any item, and/or If enableSplunkWebSSL is not set, this is a finding.

Fix Text (F-55069r835284_fix)
Edit the following files in the installation to configure Splunk to use SSL certificates: This configuration is performed on the machine used as an indexer, which may be a separate machine in a distributed environment. $SPLUNK_HOME/etc/system/local/inputs.conf [splunktcp-ssl:9997] disabled = 0 [SSL] serverCert = sslPassword = This configuration is performed on the machine used as a forwarder, which is always a separate machine regardless of environment. $SPLUNK_HOME/etc/system/local/outputs.conf [tcpout:group1] disabled = 0 clientCert = sslPassword = This configuration is performed on the machine used as a search head, which may be a separate machine in a distributed environment. Edit the following file in the installation to configure Splunk to use SSL certificates: $SPLUNK_HOME/etc/opt/system/local/web.conf [settings] enableSplunkWebSSL = 1 privKeyPath = serverCert =

Fix Text (F-55069r835284_fix)

Edit the following files in the installation to configure Splunk to use SSL certificates:

This configuration is performed on the machine used as an indexer, which may be a separate machine in a distributed environment.

$SPLUNK_HOME/etc/system/local/inputs.conf

[splunktcp-ssl:9997]
disabled = 0

[SSL]
serverCert =
sslPassword =

This configuration is performed on the machine used as a forwarder, which is always a separate machine regardless of environment.

$SPLUNK_HOME/etc/system/local/outputs.conf

[tcpout:group1]
disabled = 0
clientCert =
sslPassword =

This configuration is performed on the machine used as a search head, which may be a separate machine in a distributed environment.

Edit the following file in the installation to configure Splunk to use SSL certificates:

$SPLUNK_HOME/etc/opt/system/local/web.conf

[settings]
enableSplunkWebSSL = 1
privKeyPath =
serverCert =