Detections
Analytics

SPLK-CL-000320 - Splunk Enterprise must use organization-level authentication to uniquely identify and authenticate users.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

To assure accountability and prevent unauthenticated access, organizational users must be uniquely identified and authenticated to prevent potential misuse and compromise of the system.

Sharing of accounts prevents accountability and non-repudiation. Organizational users must be uniquely identified and authenticated for all accesses.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

This configuration is performed on the machine used as a search head or a deployment server, which may be a separate machine in a distributed environment.

Navigate to the $SPLUNK_HOME/etc/system/local/ directory.

Edit the authentication.conf file.

If the authentication.conf file does not exist, copy the file from $SPLUNK_HOME/etc/system/default to the $SPLUNK_HOME/etc/system/local directory.

Configure minimum settings similar to the example below for using LDAP or SAML.

If using LDAP:

[authentication]
authType = LDAP
authSettings = <ldap_strategy>

[<ldap_strategy>]
host = <LDAP server>
port = <LDAP port>
sslEnabled = 1

Edit the following file in the $SPLUNK_HOME/etc/openldap folder:

ldap.conf

Configure the following lines for your certificate.

TLS_REQCERT
TLS_CACERT <path to SSL certificate>
TLS_PROTOCOL_MIN 3.3
TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-
SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-
AES128-SHA256:ECDHE-RSA-AES128-SHA256

If using SAML:

[authentication]
authType = SAML
authSettings = <saml_strategy>
[<saml_strategy>]
entityId = <saml entity>
idpSSOUrl = <saml URL>
idpCertPath = <path to certificate>

After configuring LDAP or SAML, open the Splunk Web console.

Select Settings >> Access Controls >> Users.

Create appropriate LDAP and SAML users and groups for the environment.

Delete any user account with Authentication system set to Splunk, with the exception of one emergency account of last resort. Splunk will prevent the user from deleting an LDAP or SAML account.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Splunk_Enterprise_8-x_for-Linux_V1R3_STIG.zip

Item Details

References: CAT|I, CCI|CCI-000764, Rule-ID|SV-251679r819103_rule, STIG-ID|SPLK-CL-000320, Vuln-ID|V-251679

Plugin: Splunk

Control ID: 1ca8f1772ea92afc96c222da58c15cecb47ddf3155916a3bfc6ec1191552b3ac