STIGQter: STIG Summary: Splunk Enterprise 7.x for Windows Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

Splunk Enterprise must be configured to protect the log data stored in the indexes from alteration.

DISA Rule

SV-221613r508660_rule

Vulnerability Number

V-221613

Group Title

SRG-APP-000080-AU-000010

Rule Version

SPLK-CL-000160

Severity

CAT II

CCI(s)

• CCI-000166 - The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

Weight

10

Fix Recommendation

If the server does not store index data, this fix is N/A.

Edit the following file in the installation folder:

$SPLUNK_HOME/etc/system/local/indexes.conf

Add the following line to each organization-defined index stanza in brackets [ ]:

enableDataIntegrityControl=true

Check Contents

If the server being reviewed does not store index data, this check is N/A.

Check the following file in the installation folder:

$SPLUNK_HOME/etc/system/local/indexes.conf

Verify that each organization-defined index stanza in brackets [ ] has the following line added:

enableDataIntegrityControl=true

If this line is missing or is set to false, this is a finding.

Vulnerability Number

V-221613

Documentable

False

Rule Version

SPLK-CL-000160

Severity Override Guidance

If the server being reviewed does not store index data, this check is N/A.

Check the following file in the installation folder:

$SPLUNK_HOME/etc/system/local/indexes.conf

Verify that each organization-defined index stanza in brackets [ ] has the following line added:

enableDataIntegrityControl=true

If this line is missing or is set to false, this is a finding.

Check Content Reference

M

Target Key

4082

Comments