STIGQter STIGQter: STIG Summary: Splunk Enterprise 7.x for Windows Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

Splunk Enterprise must use SSL to protect the confidentiality and integrity of transmitted information.

DISA Rule

SV-221608r508660_rule

Vulnerability Number

V-221608

Group Title

SRG-APP-000439-AU-004310

Rule Version

SPLK-CL-000070

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Edit the following files in the installation to configure Splunk to use SSL certificates:

(Note that these files may exist in one of the following folders or its subfolders:
$SPLUNK_HOME/etc/apps/
$SPLUNK_HOME/etc/slave-apps/)

This configuration is performed on the machine used as an indexer, which may be a separate machine in a distributed environment.

$SPLUNK_HOME/etc/system/local/inputs.conf

[splunktcp-ssl:9997]
disabled = 0

[SSL]
serverCert = <path to the DoD approved certificate in PEM format>
sslPassword = <password for the certificate>

This configuration is performed on the machine used as a forwarder, which is always a separate machine regardless of environment.

$SPLUNK_HOME/etc/system/local/outputs.conf

[tcpout:group1]
disabled = 0
clientCert = <path to the DoD approved certificate in PEM format>
sslPassword = <password for the certificate>

Check Contents

Execute a search query in Splunk using the following:

index=_internal source=*metrics.log* group=tcpin_connections | dedup hostname | table _time hostname sourceIp destPort ssl

Verify that the report returns ssl = true for every item listed.

If the report returns ssl = false for any item, this is a finding.

Vulnerability Number

V-221608

Documentable

False

Rule Version

SPLK-CL-000070

Severity Override Guidance

Execute a search query in Splunk using the following:

index=_internal source=*metrics.log* group=tcpin_connections | dedup hostname | table _time hostname sourceIp destPort ssl

Verify that the report returns ssl = true for every item listed.

If the report returns ssl = false for any item, this is a finding.

Check Content Reference

M

Target Key

4082

Comments