SPLK-CL-000090 - When Splunk Enterprise is distributed over multiple servers, each server must be configured to disable non-essential capabilities.

Information

Applications are capable of providing a wide variety of functions and services. Some of the functions and services may not be necessary to support the configuration. This becomes more of an issue in distributed environments, where the application functions are spread out over multiple servers.

These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

If the Splunk Installation is not distributed among multiple servers, this fix is N/A.

Select Settings >> Monitoring Console.

In the Monitoring Console, select Settings >> General Setup.

Set the Mode type based on the implementation design.

If Mode is set to Distributed, set each instance only with the server roles necessary for the desired functions.

On instances not designated as search heads, disable the web UI by using the following command:

./splunk disable webserver

On instances not designated as indexers, remove the file:

$SPLUNK_HOME/etc/system/local/indexes.conf

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Splunk_Enterprise_7-x_for_Windows_V3R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7a., CAT|II, CCI|CCI-000381, Rule-ID|SV-221934r960963_rule, STIG-ID|SPLK-CL-000090, STIG-Legacy|SV-111321, STIG-Legacy|V-102369, Vuln-ID|V-221934

Plugin: Splunk

Control ID: 054104b40a5fe3ea2e73a1e412b3aa55da6f4cb05c674fbf6e9701282ac7014a