STIGQter: STIG Summary: Splunk Enterprise 7.x for Windows Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

Splunk Enterprise must be installed with FIPS mode enabled, to implement NIST FIPS 140-2 approved ciphers for all cryptographic functions.

DISA Rule

SV-221600r508660_rule

Vulnerability Number

V-221600

Group Title

SRG-APP-000514-AU-002890

Rule Version

SPLK-CL-000010

Severity

CAT I

CCI(s)

• CCI-002450 - The information system implements organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Weight

10

Fix Recommendation

FIPS 140-2 mode MUST be enabled during installation. If not enabled, it requires a reinstall or upgrade of the application.

The installer must be executed from the command line so that it can be passed the LAUNCHSPLUNK=0 parameter.

This allows Splunk to install and not automatically start up after install.

Example: msiexec /i <splunkinstaller.msi> LAUNCHSPLUNK=0

Using a text editor, edit $SPLUNK_HOME/etc/splunk-launch.conf file, add the line SPLUNK_FIPS=1 to it, restart the server, and then recheck this requirement.

Check Contents

Select the Search and Reporting App.

Execute a search query using the following:

| rest splunk_server=local /services/server/info | fields fips_mode

Verify that the report returns fips_mode = 1.

If the query returns 0, this is a finding.

Vulnerability Number

V-221600

Documentable

False

Rule Version

SPLK-CL-000010

Severity Override Guidance

Select the Search and Reporting App.

Execute a search query using the following:

| rest splunk_server=local /services/server/info | fields fips_mode

Verify that the report returns fips_mode = 1.

If the query returns 0, this is a finding.

Check Content Reference

M

Target Key

4082

Comments