SPLK-CL-000020 - Splunk Enterprise must use organization level authentication to uniquely identify and authenticate users.
Information
To ensure accountability and prevent unauthenticated access, organizational users must be uniquely identified and authenticated to prevent potential misuse and compromise of the system. Sharing of accounts prevents accountability and non-repudiation. Organizational users must be uniquely identified and authenticated for all accesses. The use of an organizational level authentication mechanism provides centralized management of accounts, and provides many benefits not normally leveraged by local account mechanisms. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Select Settings >> Access Controls >> Authentication method. If using LDAP for user accounts: Select LDAP and create an LDAP strategy with the proper settings to connect to the LDAP server. Map the appropriate LDAP groups to the appropriate Splunk roles for proper user access. If using SAML for user accounts: Select SAML and create an SAML strategy with the proper settings to connect to the SAML provider. Map the appropriate SAML groups to the appropriate Splunk roles for proper user access.