DISA STIG Splunk Enterprise 7.x for Windows v2r3 REST API

Audit Details

Name: DISA STIG Splunk Enterprise 7.x for Windows v2r3 REST API

Updated: 1/9/2023

Authority: DISA STIG

Plugin: Splunk

Revision: 1.0

Estimated Item Count: 35

File Details

Filename: DISA_STIG_Splunk_Enterprise_7.x_for_Windows_REST_API_v2r3.audit

Size: 73.3 kB

MD5: 24510126499e1938915bb8df1dcaeca8
SHA256: b4cafb96d99696a5dfdddffb8a855049f46407dfdcdaa207080a7e3dc48547b4

Audit Items

DescriptionCategories
DISA_STIG_Splunk_Enterprise_7.x_for_Windows_REST_API_v2r3.audit from DISA Splunk Enterprise 7.x for Windows v2r3 STIG
SPLK-CL-000010 - Splunk Enterprise must be installed with FIPS mode enabled, to implement NIST FIPS 140-2 approved ciphers for all cryptographic functions.

SYSTEM AND COMMUNICATIONS PROTECTION

SPLK-CL-000020 - Splunk Enterprise must use organization level authentication to uniquely identify and authenticate users.

IDENTIFICATION AND AUTHENTICATION

SPLK-CL-000030 - Splunk Enterprise must have all local user accounts removed after implementing organizational level user management system, except for one emergency account of last resort.

IDENTIFICATION AND AUTHENTICATION

SPLK-CL-000035 - Splunk Enterprise must display the Standard Mandatory DoD Notice and Consent Banner and accept user acknowledgement before granting access to the application.

ACCESS CONTROL

SPLK-CL-000040 - Splunk Enterprise must only allow the use of DoD-approved certificate authorities for cryptographic functions.

SYSTEM AND COMMUNICATIONS PROTECTION

SPLK-CL-000045 - Splunk Enterprise must use an SSO proxy service, F5 device, or SAML implementation to accept the DoD CAC or other smart card credential for identity management, personal authentication, and multifactor authentication.

IDENTIFICATION AND AUTHENTICATION

SPLK-CL-000050 - Splunk Enterprise must use TLS 1.2 and SHA-2 or higher cryptographic algorithms.

IDENTIFICATION AND AUTHENTICATION

SPLK-CL-000060 - Splunk Enterprise must use HTTPS/SSL for access to the user interface.

IDENTIFICATION AND AUTHENTICATION

SPLK-CL-000070 - Splunk Enterprise must use SSL to protect the confidentiality and integrity of transmitted information.

SYSTEM AND COMMUNICATIONS PROTECTION

SPLK-CL-000080 - Splunk Enterprise must use LDAPS for the LDAP connection.

IDENTIFICATION AND AUTHENTICATION

SPLK-CL-000090 - When Splunk Enterprise is distributed over multiple servers, each server must be configured to disable non-essential capabilities.

CONFIGURATION MANAGEMENT

SPLK-CL-000105 - Splunk Enterprise must be configured to back up the log records repository at least every seven days onto a different system or system component other than the system or component being audited.

AUDIT AND ACCOUNTABILITY

SPLK-CL-000160 - Splunk Enterprise must be configured to protect the log data stored in the indexes from alteration.

AUDIT AND ACCOUNTABILITY

SPLK-CL-000170 - Splunk Enterprise must use TCP for data transmission.

CONFIGURATION MANAGEMENT

SPLK-CL-000180 - Splunk Enterprise idle session timeout must be set to not exceed 15 minutes.

IDENTIFICATION AND AUTHENTICATION

SPLK-CL-000190 - Splunk Enterprise idle session timeout must be set to not exceed 15 minutes.

ACCESS CONTROL

SPLK-CL-000200 - Splunk Enterprise must notify the System Administrator (SA) and Information System Security Officer (ISSO) when account events are received (creation, deletion, modification, disabling).

ACCESS CONTROL

SPLK-CL-000235 - Splunk Enterprise must notify analysts of applicable events for Tier 2 CSSP and JRSS only.

ACCESS CONTROL

SPLK-CL-000240 - Splunk Enterprise must enforce the limit of 3 consecutive invalid logon attempts by a user during a 15 minute time period.

ACCESS CONTROL

SPLK-CL-000250 - Splunk Enterprise must be configured to aggregate log records from organization-defined devices and hosts within its scope of coverage.

AUDIT AND ACCOUNTABILITY

SPLK-CL-000260 - The System Administrator (SA) and Information System Security Officer (ISSO) must configure the retention of the log records based on the defined security plan.

AUDIT AND ACCOUNTABILITY

SPLK-CL-000270 - Splunk Enterprise must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to be assigned to the Power User role.

AUDIT AND ACCOUNTABILITY

SPLK-CL-000280 - Splunk Enterprise must be configured with a successful/unsuccessful logon attempts report.

AUDIT AND ACCOUNTABILITY

SPLK-CL-000290 - Splunk Enterprise must be configured to send an immediate alert to the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated log record storage volume reaches 75 percent of the repository maximum log record storage capacity.

AUDIT AND ACCOUNTABILITY

SPLK-CL-000300 - Splunk Enterprise must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) of all audit failure events, such as loss of communications with hosts and devices, or if log records are no longer being received.

AUDIT AND ACCOUNTABILITY

SPLK-CL-000310 - Splunk Enterprise must notify the System Administrator (SA) or Information System Security Officer (ISSO) if communication with the host and devices within its scope of coverage is lost.

AUDIT AND ACCOUNTABILITY

SPLK-CL-000320 - Splunk Enterprise must be configured to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.

CONFIGURATION MANAGEMENT

SPLK-CL-000330 - Splunk Enterprise must enforce password complexity for the account of last resort by requiring that at least one upper-case character be used.

IDENTIFICATION AND AUTHENTICATION

SPLK-CL-000340 - Splunk Enterprise must enforce password complexity for the account of last resort by requiring that at least one lower-case character be used.

IDENTIFICATION AND AUTHENTICATION

SPLK-CL-000350 - Splunk Enterprise must enforce password complexity for the account of last resort by requiring that at least one numeric character be used.

IDENTIFICATION AND AUTHENTICATION

SPLK-CL-000360 - Splunk Enterprise must enforce a minimum 15-character password length for the account of last resort.

IDENTIFICATION AND AUTHENTICATION

SPLK-CL-000370 - Splunk Enterprise must enforce password complexity for the account of last resort by requiring that at least one special character be used.

IDENTIFICATION AND AUTHENTICATION

SPLK-CL-000380 - Splunk Enterprise must enforce a 60-day maximum password lifetime restriction for the account of last resort.

IDENTIFICATION AND AUTHENTICATION

SPLK-CL-000390 - Splunk Enterprise must prohibit password reuse for a minimum of five generations for the account of last resort.

IDENTIFICATION AND AUTHENTICATION