SPLK-CL-000080 - Splunk Enterprise must use LDAPS for the LDAP connection.

Information

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.

Securing the connection to the LDAP servers mitigates this risk.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

If using SAML for authentication, this fix is N/A.

Select Settings >> Access Controls >> Authentication method.

Select LDAP Settings.

Select the LDAP strategy and check the option SSL enabled.

Set Port to 636.

Edit the following file in the installation to configure Splunk to use SSL certificates:

$SPLUNK_HOME/etc/openldap/ldap.conf

Add the following line:

TLS_CACERT <path to the DoD approved certificate in PEM format>

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Splunk_Enterprise_7-x_for_Windows_V3R1_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(c), CAT|I, CCI|CCI-000197, Rule-ID|SV-221609r961029_rule, STIG-ID|SPLK-CL-000080, STIG-Legacy|SV-111319, STIG-Legacy|V-102367, Vuln-ID|V-221609

Plugin: Splunk

Control ID: b15f7b805f3e74f4ab0bf7fcc13dc4d7904aaab71d023995d2d8e004e3e23313