SPLK-CL-000290 - Analysis, viewing, and indexing functions, services, and applications used as part of Splunk Enterprise must be configured to comply with DoD-trusted path and access requirements.

Information

Access to Splunk Enterprise for analysis, viewing, indexing functions, services, and applications, such as analysis tools and other vendor-provided applications, must be secured. Software used to perform additional functions, which resides on the server, must also be secured or could provide a vector for unauthorized access to the events repository.

Solution

Edit the following files in the installation to configure Splunk to use SSL certificates:

This configuration is performed on the machine used as an indexer, which may be a separate machine in a distributed environment.

$SPLUNK_HOME/etc/system/local/inputs.conf

[splunktcp-ssl:9997]
disabled = 0

[SSL]
serverCert = <path to the DoD approved certificate in PEM format>
sslPassword = <password for the certificate>

This configuration is performed on the machine used as a forwarder, which is always a separate machine regardless of environment.

$SPLUNK_HOME/etc/system/local/outputs.conf

[tcpout:group1]
disabled = 0
clientCert = <path to the DoD approved certificate in PEM format>
sslPassword = <password for the certificate>

This configuration is performed on the machine used as a search head, which may be a separate machine in a distributed environment.

Edit the following file in the installation to configure Splunk to use SSL certificates:

$SPLUNK_HOME/etc/opt/system/local/web.conf

[settings]
enableSplunkWebSSL = 1
privKeyPath = <path to the private key generated for the DoD approved certificate>
serverCert = <path to the DoD approved certificate in PEM format>

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Splunk_Enterprise_8-x_for_Linux_V2R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-251677r961863_rule, STIG-ID|SPLK-CL-000290, Vuln-ID|V-251677

Plugin: Splunk

Control ID: a8959e9715b7647f3ff879c51d7da626e25e02fc081eeb7f3c75f42ef0cc5c6d