DISA STIG Splunk Enterprise 8.x for Linux v2r1 STIG REST API

Audit Details

Name: DISA STIG Splunk Enterprise 8.x for Linux v2r1 STIG REST API

Updated: 8/28/2024

Authority: DISA STIG

Plugin: Splunk

Revision: 1.0

Estimated Item Count: 23

File Details

Filename: DISA_STIG_Splunk_Enterprise_8.x_for_Linux_REST_API_v2r1.audit

Size: 51.2 kB

MD5: 2b286db33ae61bbe46b99e6420d1819b
SHA256: 11b160709769c33cffd99d777091d9e6b54a54c292cf914b2b373289fb7d1f49

Audit Items

DescriptionCategories
DISA_STIG_Splunk_Enterprise_8.x_for_Linux_REST_API_v2r1.audit from DISA Splunk Enterprise 8.x for Linux v2r1 STIG
SPLK-CL-000020 - Splunk Enterprise must notify the system administrator (SA) and information system security officer (ISSO) when account events are received (creation, deletion, modification, or disabling) - creation, deletion, modification, or disabling.

ACCESS CONTROL

SPLK-CL-000080 - Splunk Enterprise must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the server.

ACCESS CONTROL

SPLK-CL-000100 - Splunk Enterprise must be configured to aggregate log records from organization-defined devices and hosts within its scope of coverage.

AUDIT AND ACCOUNTABILITY

SPLK-CL-000110 - In a distributed environment, Splunk Enterprise indexers must be configured to ingest log records from its forwarders.

AUDIT AND ACCOUNTABILITY

SPLK-CL-000130 - Splunk Enterprise must be configured to retain the DoD-defined attributes of the log records sent by the devices and hosts.

AUDIT AND ACCOUNTABILITY

SPLK-CL-000140 - Splunk Enterprise must allow only the individuals appointed by the information system security manager (ISSM) to have full admin rights to the system - ISSM to have full admin rights to the system.

AUDIT AND ACCOUNTABILITY

SPLK-CL-000150 - Splunk Enterprise must be configured to offload log records onto a different system or media than the system being audited.

AUDIT AND ACCOUNTABILITY

SPLK-CL-000160 - Splunk Enterprise must be configured to send an immediate alert to the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated log record storage volume reaches 75 percent of the repository maximum log record storage capacity - at a minimum when allocated log record storage volume reaches 75 percent of the repository maximum log record storage capacity.

AUDIT AND ACCOUNTABILITY

SPLK-CL-000170 - Splunk Enterprise must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) of all audit failure events, such as loss of communications with hosts and devices, or if log records are no longer being received.

AUDIT AND ACCOUNTABILITY

SPLK-CL-000180 - Splunk Enterprise must notify the System Administrator (SA) or Information System Security Officer (ISSO) if communication with the host and devices within its scope of coverage is lost.

AUDIT AND ACCOUNTABILITY

SPLK-CL-000250 - Splunk Enterprise must be configured to back up the log records repository at least every seven days onto a different system or system component other than the system or component being audited.

AUDIT AND ACCOUNTABILITY

SPLK-CL-000260 - Splunk Enterprise must be configured to retain the identity of the original source host or device where the event occurred as part of the log record.

CONFIGURATION MANAGEMENT

SPLK-CL-000270 - Splunk Enterprise must use TCP for data transmission.

CONFIGURATION MANAGEMENT

SPLK-CL-000280 - Splunk Enterprise must be configured with a report to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.

CONFIGURATION MANAGEMENT

SPLK-CL-000290 - Analysis, viewing, and indexing functions, services, and applications used as part of Splunk Enterprise must be configured to comply with DoD-trusted path and access requirements.

CONFIGURATION MANAGEMENT

SPLK-CL-000300 - When Splunk Enterprise is distributed over multiple servers, each server must be configured to disable non-essential capabilities.

CONFIGURATION MANAGEMENT

SPLK-CL-000320 - Splunk Enterprise must use organization-level authentication to uniquely identify and authenticate users.

IDENTIFICATION AND AUTHENTICATION

SPLK-CL-000330 - Splunk Enterprise must use HTTPS/SSL for access to the user interface.

IDENTIFICATION AND AUTHENTICATION

SPLK-CL-000390 - Splunk Enterprise must be installed in FIPS mode to implement NIST FIPS-approved cryptography for all cryptographic functions.

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

SPLK-CL-000450 - Splunk Enterprise must only allow the use of DOD-approved certificate authorities for cryptographic functions.

SYSTEM AND COMMUNICATIONS PROTECTION

SPLK-CL-000460 - Splunk Enterprise must be configured to protect the confidentiality and integrity of transmitted information.

SYSTEM AND COMMUNICATIONS PROTECTION

SPLK-CL-000490 - Splunk Enterprise must accept the DOD CAC or other PKI credential for identity management and personal authentication.

IDENTIFICATION AND AUTHENTICATION