Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
This check is performed on the machine used as a search head, which may be a separate machine in a distributed environment. If the instance being reviewed is not used as a search head, this check in N/A. Examine the configuration. Navigate to the $SPLUNK_HOME/etc/system/local/ directory. View the web.conf file. If the web.conf file does not exist, this is a finding. If the "tools.sessions.timeout" is missing or is configured to 16 or more, this is a finding.
This configuration is performed on the machine used as a search head, which may be a separate machine in a distributed environment. If the web.conf file does not exist, copy the file from $SPLUNK_HOME/etc/system/default to the $SPLUNK_HOME/etc/system/local directory. Modify/Add the following lines in the web.conf file: tools.session.timeout = 15
Interview the SA to verify that a report exists to notify the SA and ISSO when account events are received for all devices and hosts within its scope of coverage. Interview the ISSO to confirm receipt of this report. If Splunk Enterprise is not configured to notify the SA and ISSO when account events are received for all devices and hosts within its scope of coverage, this is a finding.
Configure Splunk Enterprise, using the reporting and notification tools, to notify the SA and ISSO when account events are received for all devices and hosts within its scope of coverage.
This check is applicable to the instance with the Search Head role, which may be a different instance in a distributed environment. Examine the configuration. Navigate to the $SPLUNK_HOME/etc/system/local/ directory. View the authentication.conf file. If the authentication.conf file does not exist, this is a finding. If the "lockoutAttempts" is missing or is configured to more than 3, this is a finding. If the "lockoutThresholdMins" is missing or is configured to less than 15, this is a finding.
If the authentication.conf file does not exist, copy the file from $SPLUNK_HOME/etc/system/default to the $SPLUNK_HOME/etc/system/local directory. Modify the following lines in the authentication.conf file under the [splunk_auth]: lockoutAttempts = 3 lockoutThresholdMins = 15
Examine the configuration. Navigate to the $SPLUNK_HOME/etc/system/local/ directory. View the authentication.conf file. If the authentication.conf file does not exist, this is a finding. If the lockoutUsers" is missing or is configured to 0 or False, this is a finding.
If the authentication.conf file does not exist, copy the file from $SPLUNK_HOME/etc/system/default to the $SPLUNK_HOME/etc/system/local directory. Modify the following lines in the authentication.conf file under the [splunk_auth]: lockoutUsers = True or 1
This check is performed on the machine used as a search head, which may be a separate machine in a distributed environment. If the instance being reviewed is not used as a search head, this check in N/A. Verify that the Standard Mandatory DOD Notice and Consent Banner appears before being granted access to Splunk Enterprise. If the Standard Mandatory DOD Notice and Consent Banner is not presented, this is a finding.
This configuration is performed on the machine used as a search head, which may be a separate machine in a distributed environment. Configure Splunk Enterprise to display the Mandatory DOD Notice and Consent Banner by modifying the web.conf file. Add/modify the line: login_content = <script>function DoDBanner() {alert("You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.");}DoDBanner();</script> The string in the above line will be the text of the DOD consent banner.
This check is performed on the machine used as an indexer, which may be a separate machine in a distributed environment. If the instance being reviewed is not used as an indexer, this check is N/A. Examine the configuration. Navigate to the $SPLUNK_HOME/etc/system/local/ directory. View the indexes.conf file. If the indexes.conf file does not exist, this is a finding. If the "enableDataIntegrityControl" is missing or is configured to 0 or false for each index, this is a finding.
If the indexes.conf file does not exist, copy the file from $SPLUNK_HOME/etc/system/default to the $SPLUNK_HOME/etc/system/local directory. Modify the following lines in the indexes.conf file under each index: enableDataIntegrityControl = 1 or True
Examine the site documentation that lists the scope of coverage for the instance being reviewed. Select Settings >> Data Inputs. Verify that data inputs are configured to support the scope of coverage documented for the site. If Splunk enterprise is not configured to aggregate log records from organization-defined devices and hosts within its scope of coverage, this is a finding.
Configure Splunk Enterprise to aggregate log records from organization-defined devices and hosts within its scope of coverage, as defined in the site security plan.
This check is applicable to the instance with the Indexer role or the Forwarder role, which may be a different instance in a distributed environment. Verify the Splunk Enterprise Environment is configured to ingest log records from different hosts. On the forwarders, check if the output.conf file is configured with the details of the indexer is ingesting the log data (e.g., Hostname, port# etc.). On the indexer, check if the input.conf file is configured with the details of the forwarders that are sending the data. If the Splunk Enterprise is not configured to perform analysis of log records from across multiple hosts, this is a finding.
On the forwarders, configure the outputs.conf with the information of the indexer that the data will be sent to for analysis. On the indexer, configure the inputs.conf file with the information of the forwarders that are sending the data for analysis.
This check is applicable to the instance with the Indexer role, which may be a different instance in a distributed environment. Examine the site documentation for the retention time for log data. Examine the following file in the Splunk installation folder: $SPLUNK_HOME/etc/system/local/indexes.conf For each index defined in the scope, the frozenTimePeriodInSecs setting should match the site documentation. If the settings do not match, this is a finding.
Edit the following file in the Splunk installation folder: $SPLUNK_HOME/etc/system/local/indexes.conf Set frozenTimePeriodInSecs to the defined retention period for each index location.
Review the log records sent in Splunk Enterprise and verify that the log records retain the DoD-defined attributes. If the log files do not retain the DoD-defined attributes, this is a finding.
Configure Splunk Enterprise to retain the DoD-defined attributes of the log records sent by the devices and hosts. Use Splunk Enterprise to modify the props.conf file to include the DoD-defined attributes.
This check is applicable to the instance with the Search Head role, which may be a different instance in a distributed environment. Select Settings >> Users. If users have the admin role that are not defined by the ISSM as requiring admin rights, this is a finding. LDAP Groups Check: Select Settings >> Authentication Method >> LDAP Settings >> Map Groups. Obtain the LDAP group name mapped to the admin role. Request from the LDAP administrator the group membership of this LDAP group, and compare to the list of individuals appointed by the ISSM. If users that are not defined by the ISSM as requiring admin rights are present in the admin role membership, this is a finding.
Provide the list of individuals assigned by the ISSM to be members of the admin role to the Splunk Enterprise administrator. Provide the list of individuals assigned by the ISSM to be members of the admin role to the LDAP administrator to add to the LDAP group mapped to the admin role. Create user accounts and assign the admin role for users provided in the lists.
Verify the Splunk Enterprise Environment is configured to offload log records to an external source. On the forwarder, check that the outputs.conf file is configured with the details of the source that the logs will be sent to (e.g. Hostname, port# etc.). If the Splunk Enterprise is not configured to offload log records to an external source, this is a finding.
This configuration is performed on the machine used as a forwarder, which is always a separate machine regardless of environment. On the forwarders, configure the outputs.conf with the information of the indexer that the data will be sent to for analysis. This configuration is performed on the machine used as the assigned indexer to the forwarder in a distributed environment. On the indexer, configure the inputs.conf file with the information of the forwarders that are sending the data for analysis.
Perform the following checks. If any do not comply, this is a finding. 1. Examine the file in the Splunk installation folder: Note: If necessary, run the "btool" app within Splunk to first determine where the effective setting is contained, then validate/change that setting. SPLUNK_HOME/etc/system/local/server.conf Locate the following setting: [diskUsage] minFreeSpace = xxxx Verify that the value is set to 25 percent of the size of the storage volume. For example, 25 percent of a 100GB drive is 25GB, and the value set would be 25000, as the value is in megabytes. 2. Examine the file in the Splunk installation folder: $SPLUNK_HOME/etc/system/local/health.conf Locate the following setting: [alert_action:email] disabled = 0 action.to = action.cc = Verify that the email addresses of the ISSO and SA are set to receive alerts. This email address can be a group address (example alerts@domain.com) that contain the addresses of the ISSO and SA. 3. In the Splunk console, select Settings >> Health Report Manager >> feature:disk_space. Verify Red setting is 1, and Yellow setting is 2.
Perform the following fixes. 1. Edit the file in the Splunk installation folder: $SPLUNK_HOME/etc/system/local/server.conf Add the following lines: [diskUsage] minFreeSpace = xxxx Set the value to 25 percent of the size of the storage volume. For example, 25 percent of a 100GB drive is 25GB, and the value set would be 25000, as the value is in megabytes. 2. Examine the file in the Splunk installation folder: $SPLUNK_HOME/etc/system/local/health.conf Add the following lines: [alert_action:email] disabled = 0 action.to = action.cc = Set the email addresses of the ISSO and SA to be able to receive alerts. This email address can be a group address (example alerts@domain.com) that contain the addresses of the ISSO and SA. 3. In the Splunk console, select Settings >> Health Report Manager >> feature:disk_space. Set the Red setting to 1, and Yellow setting to 2.
Interview the SA to verify that a report exists to notify the SA and ISSO of any audit failure, such as loss of communication or logs no longer being collected. Interview the ISSO to confirm receipt of this report. If a report does not exist to notify the SA and ISSO of audit failure events, or the ISSO does not confirm receipt of the report, this is a finding.
Configure Splunk Enterprise, using the reporting and notification tools, to create a report with notification to the SA and ISSO of any audit failure events, such as loss of communication or logs no longer being collected.
If the Splunk instance is used for Tier 2 CSSP (formerly CND-SP) or JRSS analysis, this check is N/A. Interview the SA to verify that a report exists to notify the SA and ISSO of any audit failure, such as loss of communication or logs no longer being collected. Interview the ISSO to confirm receipt of this report. If a report does not exist to notify the SA and ISSO of audit failure events, or the ISSO does not confirm receipt of this report, this is a finding.
If the Splunk instance is used for Tier 2 CSSP (formerly CND-SP) or JRSS analysis, this check is N/A. Configure Splunk Enterprise, using the reporting and notification tools, to create a report with notification to the SA and ISSO of any audit failure events, such as loss of communication or logs no longer being collected.
This check must be done as the "splunk" user created during installation. Verify owner and group are set to splunk user. ls -ld $SPLUNK_HOME and $SPLUNK_ETC If the owner or group are not set to the splunk user, this is a finding. Check for 700 as permission. stat -c "%a %n" $SPLUNK_HOME and $SPLUNK_ETC If the permissions are not set to 700, this is a finding.
Only the "splunk" and root users should have access to the Splunk Enterprise installation directories. chown splunk user $SPLUNK_HOME and $SPLUNK_ETC chgrp splunk user $SPLUNK_HOME and $SPLUNK_ETC chmod 700 $SPLUNK_HOME and $SPLUNK_ETC
Interview the SA to verify that a process exists to back up the Splunk log data every seven days, using the underlying OS backup tools or another approved backup tool. If a backup plan does not exist for the Splunk log data, this is a finding.
Implement a backup plan for the Splunk log data, following the Splunk documentation on backing up indexed data. Use the underlying OS backup tools, or another approved backup tool.
Review the log records in Splunk Enterprise and verify that the log records retain the identity of the original source host or device where the event occurred. If the log files do not retain the identity of the original source host or device where the event occurred, this is a finding.
Configure Splunk Enterprise to retain the identity of the original source host or device where the event occurred. Use Splunk Enterprise to modify the props.conf file to include the identity of the original source host or device where the event occurred.
This check is performed on the machine used as an indexer, which may be a separate machine in a distributed environment. Examine the configuration. Navigate to the $SPLUNK_HOME/etc/system/local/ directory. View the inputs.conf file. If any input is configured to use a UDP port, this is a finding.
This configuration is performed on the machine used as an indexer, which may be a separate machine in a distributed environment. Navigate to $SPLUNK_HOME/etc/system/local/ Modify the inputs.conf file to replace any input that is using a UDP port with a TCP port.
Interview the SA to verify that a report exists to notify the SA and ISSO, at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage. Interview the ISSO to confirm receipt of this report. If a report does not exist, or the ISSO does not confirm receipt of this report, this is a finding.
Configure Splunk Enterprise, using the Reporting and Alert tools, to notify the SA and ISSO, at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.
Execute a search query in Splunk using the following: index=_internal source=*metrics.log* group=tcpin_connections | dedup hostname | table _time hostname sourceIp destPort ssl Verify that the report returns ssl = true for every item listed. Navigate to $SPLUNK_HOME/etc/system/local/web.conf and verify the enableSplunkWebSSL is set to 1. If the report returns ssl = false for any item, and/or If enableSplunkWebSSL is not set, this is a finding.
Edit the following files in the installation to configure Splunk to use SSL certificates: This configuration is performed on the machine used as an indexer, which may be a separate machine in a distributed environment. $SPLUNK_HOME/etc/system/local/inputs.conf [splunktcp-ssl:9997] disabled = 0 [SSL] serverCert = <path to the DoD approved certificate in PEM format> sslPassword = <password for the certificate> This configuration is performed on the machine used as a forwarder, which is always a separate machine regardless of environment. $SPLUNK_HOME/etc/system/local/outputs.conf [tcpout:group1] disabled = 0 clientCert = <path to the DoD approved certificate in PEM format> sslPassword = <password for the certificate> This configuration is performed on the machine used as a search head, which may be a separate machine in a distributed environment. Edit the following file in the installation to configure Splunk to use SSL certificates: $SPLUNK_HOME/etc/opt/system/local/web.conf [settings] enableSplunkWebSSL = 1 privKeyPath = <path to the private key generated for the DoD approved certificate> serverCert = <path to the DoD approved certificate in PEM format>
If the Splunk Installation is not distributed among multiple servers, this check is N/A. Select Settings >> Monitoring Console. In the Monitoring Console, select Settings >> General Setup. Check the Mode type. If set to Standalone, then this requirement is N/A, as all functions provided are necessary for operation. If Mode is set to Distributed, check that each instance is configured only with the server roles necessary for the implementation. If unused roles are configured, this is a finding.
If the Splunk Installation is not distributed among multiple servers, this fix is N/A. Select Settings >> Monitoring Console. In the Monitoring Console, select Settings >> General Setup. Set the Mode type based on the implementation design. If Mode is set to Distributed, set each instance only with the server roles necessary for the desired functions.
This check is performed on the machine used as a search head or a deployment server, which may be a separate machine in a distributed environment. Navigate to the $SPLUNK_HOME/etc/system/local/ directory. View the authentication.conf file. If the authentication.conf file does not exist, this is a finding. In the authentication.conf file, verify minimum settings similar to the example below. If any minimum settings are not configured, this is a finding. If using LDAP: [authentication] authType = LDAP authSettings = <ldap_strategy> [<ldap_strategy>] host = <LDAP server> port = <LDAP port> sslEnabled = 1 Check the following file in the $SPLUNK_HOME/etc/openldap folder: ldap.conf If the file does not exist, this is a finding. Check for the following lines. If any are missing or do not match the settings below, this is a finding. TLS_REQCERT TLS_CACERT <path to SSL certificate> TLS_PROTOCOL_MIN 3.3 TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM- SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- AES128-SHA256:ECDHE-RSA-AES128-SHA256 If using SAML: [authentication] authType = SAML authSettings = <saml_strategy> [<saml_strategy>] entityId = <saml entity> idpSSOUrl = <saml URL> idpCertPath = <path to certificate> Open the Splunk Web console. Select Settings >> Access Controls >> Users. Verify that no user accounts exist with Authentication system set to Splunk except an account of last resort. They must all be set to LDAP or SAML. If any user accounts have Authentication system set to Splunk, with the exception of one emergency account of last resort, this is a finding.
This configuration is performed on the machine used as a search head or a deployment server, which may be a separate machine in a distributed environment. Navigate to the $SPLUNK_HOME/etc/system/local/ directory. Edit the authentication.conf file. If the authentication.conf file does not exist, copy the file from $SPLUNK_HOME/etc/system/default to the $SPLUNK_HOME/etc/system/local directory. Configure minimum settings similar to the example below for using LDAP or SAML. If using LDAP: [authentication] authType = LDAP authSettings = <ldap_strategy> [<ldap_strategy>] host = <LDAP server> port = <LDAP port> sslEnabled = 1 Edit the following file in the $SPLUNK_HOME/etc/openldap folder: ldap.conf Configure the following lines for your certificate. TLS_REQCERT TLS_CACERT <path to SSL certificate> TLS_PROTOCOL_MIN 3.3 TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM- SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- AES128-SHA256:ECDHE-RSA-AES128-SHA256 If using SAML: [authentication] authType = SAML authSettings = <saml_strategy> [<saml_strategy>] entityId = <saml entity> idpSSOUrl = <saml URL> idpCertPath = <path to certificate> After configuring LDAP or SAML, open the Splunk Web console. Select Settings >> Access Controls >> Users. Create appropriate LDAP and SAML users and groups for the environment. Delete any user account with Authentication system set to Splunk, with the exception of one emergency account of last resort. Splunk will prevent the user from deleting an LDAP or SAML account.
This check is performed on the machine used as a search head or a deployment server, which may be a separate machine in a distributed environment. Check the following file in the installation to verify Splunk is set to use SSL and certificates: $SPLUNK_HOME/etc/system/local/web.conf [settings] enableSplunkWebSSL = 1 privKeyPath = <path to the private key generated for the DoD approved certificate> serverCert = <path to the DoD approved certificate in PEM format> If the settings are not configured to use SSL and certificates, this is a finding.
This configuration is performed on the machine used as a search head or a deployment server, which may be a separate machine in a distributed environment. Edit the following file in the installation to configure Splunk to use SSL certificates: $SPLUNK_HOME/etc/system/local/web.conf [settings] enableSplunkWebSSL = 1 privKeyPath = <path to the private key generated for the DoD approved certificate> serverCert = <path to the DoD approved certificate in PEM format>
Examine the configuration. Navigate to the $SPLUNK_HOME/etc/system/local/ directory. View the authentication.conf file. If the authentication.conf file does not exist, this is a finding. If the "minPasswordUppercase" is missing or is configured to 0, this is a finding.
If the authentication.conf file does not exist, copy the file from $SPLUNK_HOME/etc/system/default to the $SPLUNK_HOME/etc/system/local directory. Modify the following lines in the authentication.conf file under the [splunk_auth]: minPasswordUppercase = 1
Examine the configuration. Navigate to the $SPLUNK_HOME/etc/system/local/ directory. View the authentication.conf file. If the authentication.conf file does not exist, this is a finding. If the "minPasswordLowercase" is missing or is configured to 0, this is a finding.
If the authentication.conf file does not exist, copy the file from $SPLUNK_HOME/etc/system/default to the $SPLUNK_HOME/etc/system/local directory. Modify the following lines in the authentication.conf file under the [splunk_auth]: minPasswordLowercase = 1
Examine the configuration. Navigate to the $SPLUNK_HOME/etc/system/local/ directory. View the authentication.conf file. If the authentication.conf file does not exist, this is a finding. If the "minPasswordDigit" is missing or is configured to 0, this is a finding.
If the authentication.conf file does not exist, copy the file from $SPLUNK_HOME/etc/system/default to the $SPLUNK_HOME/etc/system/local directory. Modify the following lines in the authentication.conf file under the [splunk_auth]: minPasswordDigit = 1
Examine the configuration. Navigate to the $SPLUNK_HOME/etc/system/local/ directory. View the authentication.conf file. If the authentication.conf file does not exist, this is a finding. If the "minPasswordLength" is missing or is configured to 14 or less, this is a finding.
If the authentication.conf file does not exist, copy the file from $SPLUNK_HOME/etc/system/default to the $SPLUNK_HOME/etc/system/local directory. Modify the following lines in the authentication.conf file under the [splunk_auth]: minPasswordLength = 15 or more
Examine the configuration. Navigate to the $SPLUNK_HOME/etc/system/local/ directory. View the authentication.conf file. If the authentication.conf file does not exist, this is a finding. If the "minPasswordSpecial" is missing or is configured to 0, this is a finding.
If the authentication.conf file does not exist, copy the file from $SPLUNK_HOME/etc/system/default to the $SPLUNK_HOME/etc/system/local directory. Modify the following lines in the authentication.conf file under the [splunk_auth]: minPasswordSpecial = 1
Run the following command from the server command line: Note: Run this command as the account of last resort, as no other local user accounts should exist. splunk show fips-mode -auth <username>:<password> Verify that the command returns FIPS mode enabled. If the command returns FIPS mode disabled, this is a finding.
FIPS 140-2 mode must be enabled during initial installation. If not enabled, it requires a reinstall or upgrade of the application. Add the following line to the $SPLUNK_HOME/etc/splunk-launch.conf file during the installation process and before the initial start of Splunk Enterprise: SPLUNK_COMMON_CRITERIA=1 SPLUNK_FIPS=1 # Do not generate python byte code PYTHONDONTWRITEBYTECODE=1 This will enable FIPS mode before the initial startup.
Examine the configuration. Navigate to the $SPLUNK_HOME/etc/system/local/ directory. View the authentication.conf file. If the authentication.conf file does not exist, this is a finding. If the "expirePasswordDays" is missing or is configured to 61 or more, this is a finding.
If the authentication.conf file does not exist, copy the file from $SPLUNK_HOME/etc/system/default to the $SPLUNK_HOME/etc/system/local directory. Modify the following lines in the authentication.conf file under the [splunk_auth]: expirePasswordDays = 60
Examine the configuration. Navigate to the $SPLUNK_HOME/etc/system/local/ directory. View the authentication.conf file. If the authentication.conf file does not exist, this is a finding. If the "enablePasswordHistory" is missing or is configured to False, this is a finding. If the "passwordHistoryCount" is missing or is configured to 4 or less, this is a finding.
If the authentication.conf file does not exist, copy the file from $SPLUNK_HOME/etc/system/default to the $SPLUNK_HOME/etc/system/local directory. Modify the following lines in the authentication.conf file under the [splunk_auth]: enablePasswordHistory = True passwordHistoryCount = 5
Examine the configuration. Check the following files in the $SPLUNK_HOME/etc/system/local folder: inputs.conf : Check is applicable to the indexer which may be a separate machine in a distributed environment. Check for the following lines, if they do not exist, then the settings are compliant. If they exist, they must match the settings below or it is a finding: sslVersions = tls1.2 ciphersuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM- SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- AES128-SHA256:ECDHE-RSA-AES128-SHA256 ecdhCurves = prime256v1, secp384r1, secp521r1 outputs.conf : Check is applicable to the forwarder which is always a separate machine in the environment. Check for the following lines, if they do not exist, then the settings are compliant. If they exist, they must match the settings below or it is a finding: sslVersions = tls1.2 ciphersuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM- SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- AES128-SHA256:ECDHE-RSA-AES128-SHA256 ecdhCurves = prime256v1, secp384r1, secp521r1 server.conf Check for the following lines, if they do not exist, then the settings are compliant. If they exist, they must match the settings below or it is a finding: sslVersions = tls1.2 sslVersionsForClient = tls1.2 ciphersuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM- SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256 ecdhCurves = prime256v1, secp384r1, secp521r1 web.conf : Check is applicable to search head or deployment server which may be a separate machine in a distributed environment. Check for the following lines, if they do not exist, then the settings are compliant. If they exist, they must match the settings below or it is a finding: sslVersions = tls1.2 ciphersuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM- SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- AES128-SHA256:ECDHE-RSA-AES128-SHA256 ecdhCurves = prime256v1, secp384r1, secp521r1 Check the following file in the /etc/openldap folder: ldap.conf Check for the following lines, they must match the settings below or it is a finding: #TLS_PROTOCOL_MIN: 3.1 for TLSv1.0, 3.2 for TLSv1.1, 3.3 for TLSv1.2. TLS_PROTOCOL_MIN 3.3 TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM- SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- AES128-SHA256:ECDHE-RSA-AES128-SHA256 Note: Splunk Enterprise must operate in FIPS mode to limit the algorithms allowed.
Edit the following files in the $SPLUNK_HOME/etc/system/local folder: inputs.conf : Fix is applicable to the indexer which may be a separate machine in a distributed environment. Check for the following lines, if they do not exist, then the settings are compliant. If they exist, they must match the settings below or be removed: sslVersions = tls1.2 ciphersuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM- SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- AES128-SHA256:ECDHE-RSA-AES128-SHA256 ecdhCurves = prime256v1, secp384r1, secp521r1 outputs.conf : Check is applicable to the forwarder which is always a separate machine in the environment. Check for the following lines, if they do not exist, then the settings are compliant. If they exist, they must match the settings below or be removed: sslVersions = tls1.2 ciphersuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM- SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- AES128-SHA256:ECDHE-RSA-AES128-SHA256 ecdhCurves = prime256v1, secp384r1, secp521r1 server.conf Check for the following lines, if they do not exist, then the settings are compliant. If they exist, they must match the settings below or be removed: sslVersions = tls1.2 sslVersionsForClient = tls1.2 ciphersuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM- SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256 ecdhCurves = prime256v1, secp384r1, secp521r1 web.conf : Check is applicable to search head or deployment server which may be a separate machine in a distributed environment. Check for the following lines, if they do not exist, then the settings are compliant. If they exist, they must match the settings below or be removed: sslVersions = tls1.2 ciphersuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM- SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- AES128-SHA256:ECDHE-RSA-AES128-SHA256 ecdhCurves = prime256v1, secp384r1, secp521r1 Check the following file in the /etc/openldap folder: ldap.conf Check for the following lines, set to match the settings below: #TLS_PROTOCOL_MIN: 3.1 for TLSv1.0, 3.2 for TLSv1.1, 3.3 for TLSv1.2. TLS_PROTOCOL_MIN 3.3 TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM- SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA- AES128-SHA256:ECDHE-RSA-AES128-SHA256 Note: Splunk Enterprise must operate in FIPS mode to limit the algorithms allowed.
On the host OS of the server, verify the properties of the certificate used by Splunk to ensure that the Issuer is the DoD trusted CA. This can be verified by the command: openssl x509 -text -inform PEM -in <name of cert> If the certificate issuer is not a DoD trusted CA, then this is a finding.
Request a DoD-approved certificate and a copy of the DoD root CA public certificate, and place the files in a location for Splunk use. Configure the certificate files to the PEM format, using the Splunk Enterprise system documentation.
Check the following files in the installation to verify Splunk uses SSL certificates for communication between the indexer and the forwarder: This check is performed on the machine used as an indexer, which may be a separate machine in a distributed environment. $SPLUNK_HOME/etc/system/local/inputs.conf [splunktcp-ssl:9997] disabled = 0 [SSL] serverCert = <path to the DoD approved certificate in PEM format> sslPassword = <password for the certificate> If these settings are misconfigured, this is a finding. This configuration is performed on the machine used as a forwarder, which is always a separate machine regardless of environment. $SPLUNK_HOME/etc/system/local/outputs.conf [tcpout:group1] disabled = 0 clientCert = <path to the DoD approved certificate in PEM format> sslPassword = <password for the certificate> If these settings are misconfigured, this is a finding.
Edit the following files in the installation to configure Splunk to use SSL certificates: This configuration is performed on the machine used as an indexer, which may be a separate machine in a distributed environment. $SPLUNK_HOME/etc/system/local/inputs.conf [splunktcp-ssl:9997] disabled = 0 [SSL] serverCert = <path to the DoD approved certificate in PEM format> sslPassword = <password for the certificate> This configuration is performed on the machine used as a forwarder, which is always a separate machine regardless of environment. $SPLUNK_HOME/etc/system/local/outputs.conf [tcpout:group1] disabled = 0 clientCert = <path to the DoD approved certificate in PEM format> sslPassword = <password for the certificate>
If the instance being checked is in a distributed environment and has the web interface disabled, this check is N/A. Verify that Splunk Enterprise is configured to use the DoD CAC or other PKI credential to log in to the application. If it is not configured to allow the use of the DoD CAC or other PKI credential, this is a finding.
Configure an SSO proxy service using Apache, IIS, F5, SAML, etc., to provide PKI credentials to Splunk Enterprise. Examples for Apache and F5 are provided using the supplemental documentation included in this package to be used in addition to the Splunk documentation.