SPLK-CL-000310 - Splunk Enterprise must notify the System Administrator (SA) or Information System Security Officer (ISSO) if communication with the host and devices within its scope of coverage is lost.

Information

If the system were to continue processing after audit failure, actions could be taken on the system that could not be tracked and recorded for later forensic analysis. To perform this function, some type of heartbeat configuration with all of the devices and hosts must be configured.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

If the Splunk instance is used for Tier 2 CSSP (formerly CND-SP) or JRSS analysis, this fix is N/A.

Configure Splunk Enterprise using the reporting and notification tools to create a report with notification to the SA and ISSO of any audit failure events, such as loss of communication or logs no longer being collected.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Splunk_Enterprise_7-x_for_Windows_V3R1_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5(4), CAT|III, CCI|CCI-001861, Rule-ID|SV-221627r987681_rule, STIG-ID|SPLK-CL-000310, STIG-Legacy|SV-111345, STIG-Legacy|V-102401, Vuln-ID|V-221627

Plugin: Splunk

Control ID: e6c48aeb3167ce75f7aa5acba17fc5189e17ad03860072cf2299a82a86c0b988