STIGQter STIGQter: STIG Summary: Splunk Enterprise 7.x for Windows Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

Splunk Enterprise must be configured to send an immediate alert to the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated log record storage volume reaches 75 percent of the repository maximum log record storage capacity.

DISA Rule

SV-221625r508660_rule

Vulnerability Number

V-221625

Group Title

SRG-APP-000359-AU-000120

Rule Version

SPLK-CL-000290

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Perform the following fixes.

(Note that these files may exist in one of the following folders or its subfolders:
$SPLUNK_HOME/etc/apps/
$SPLUNK_HOME/etc/slave-apps/)

1. Edit the file in the Splunk installation folder:

$SPLUNK_HOME/etc/system/local/server.conf

Add the following lines:

[diskUsage]
minFreeSpace = xxxx

Set the value to 25 percent of the size of the storage volume. For example, 25 percent of a 100 GB drive is 25 GB, and the value set would be 25000, as the value is in megabytes.

2. Examine the file in the Splunk installation folder:

$SPLUNK_HOME/etc/system/local/health.conf

Add the following lines:

[alert_action:email]
disabled = 0
action.to =
action.cc =

Set the email addresses of the ISSO and SA to be able to receive alerts. This email address can be a group address (example alerts@domain.com) that contains the addresses of the ISSO and SA.

3. In the Splunk console, select Settings >> Health Report Manager >> feature:disk_space.

Set the Red setting to 1, and Yellow setting to 2.

Check Contents

Perform the following checks. If any do not comply, this is a finding.

(Note that these files may exist in one of the following folders or its subfolders:
$SPLUNK_HOME/etc/apps/
$SPLUNK_HOME/etc/slave-apps/)

1. Examine the file in the Splunk installation folder:

$SPLUNK_HOME/etc/system/local/server.conf

Locate the following setting:

[diskUsage]
minFreeSpace = xxxx

Verify that the value is set to 25 percent of the size of the storage volume. For example, 25 percent of a 100 GB drive is 25 GB, and the value set would be 25000, as the value is in megabytes.

2. Examine the file in the Splunk installation folder:

$SPLUNK_HOME/etc/system/local/health.conf

Locate the following setting:

[alert_action:email]
disabled = 0
action.to =
action.cc =

Verify that the email addresses of the ISSO and SA are set to receive alerts. This email address can be a group address (example alerts@domain.com) that contains the addresses of the ISSO and SA.

3. In the Splunk console, select Settings >> Health Report Manager >> feature:disk_space.

Verify Red setting is 1, and Yellow setting is 2.

Vulnerability Number

V-221625

Documentable

False

Rule Version

SPLK-CL-000290

Severity Override Guidance

Perform the following checks. If any do not comply, this is a finding.

(Note that these files may exist in one of the following folders or its subfolders:
$SPLUNK_HOME/etc/apps/
$SPLUNK_HOME/etc/slave-apps/)

1. Examine the file in the Splunk installation folder:

$SPLUNK_HOME/etc/system/local/server.conf

Locate the following setting:

[diskUsage]
minFreeSpace = xxxx

Verify that the value is set to 25 percent of the size of the storage volume. For example, 25 percent of a 100 GB drive is 25 GB, and the value set would be 25000, as the value is in megabytes.

2. Examine the file in the Splunk installation folder:

$SPLUNK_HOME/etc/system/local/health.conf

Locate the following setting:

[alert_action:email]
disabled = 0
action.to =
action.cc =

Verify that the email addresses of the ISSO and SA are set to receive alerts. This email address can be a group address (example alerts@domain.com) that contains the addresses of the ISSO and SA.

3. In the Splunk console, select Settings >> Health Report Manager >> feature:disk_space.

Verify Red setting is 1, and Yellow setting is 2.

Check Content Reference

M

Target Key

4082

Comments