SPLK-CL-000270 - Splunk Enterprise must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to be assigned to the Power User role - or individuals or roles appointed by the ISSM to be assigned to the Power User role.

Information

Without restricting which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Provide the list of individuals assigned by the ISSM to be members of the power user role to the LDAP/AD administrator or SAML Identity Provider administrator to add to the security group mapped to the power user role.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Splunk_Enterprise_7-x_for_Windows_V3R1_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12b., CAT|III, CCI|CCI-000171, CCI|CCI-003831, Rule-ID|SV-221623r992020_rule, STIG-ID|SPLK-CL-000270, STIG-Legacy|SV-111337, STIG-Legacy|V-102393, Vuln-ID|V-221623

Plugin: Splunk

Control ID: aaf23669356728e9b44041f7fa218a6b3a07cfe873e7383fc7d7d1be878ea784