SPLK-CL-000450 - Splunk Enterprise must only allow the use of DOD-approved certificate authorities for cryptographic functions.

Information

Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established.

The DOD will only accept PKI certificates obtained from a DOD-approved internal or external certificate authority.

Splunk Enterprise contains built-in certificates that are common across all Splunk installations, and are for initial deployment. These should not be used in any production environment.

It is also recommended that the production certificates be stored in another location away from the Splunk default certificates, as that folder gets replaced on any upgrade of the application. An example would be to use a folder named /etc/system/DODcerts under the Splunk installation root folder.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Request a DOD-approved certificate and a copy of the DOD root CA public certificate, and place the files in a location for Splunk use.

Configure the certificate files to the PEM format, using the Splunk Enterprise system documentation.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Splunk_Enterprise_8-x_for_Linux_V2R1_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-23(5), CAT|II, CCI|CCI-002470, CCI|CCI-004909, CCI|CCI-004910, Rule-ID|SV-251690r992050_rule, STIG-ID|SPLK-CL-000450, Vuln-ID|V-251690

Plugin: Splunk

Control ID: fe3b4c5d197d1a158d0b071e4956d9d0d9cf24e9f3ee021d425c98a37b53cb8e