STIGQter: STIG Summary: Splunk Enterprise 7.x for Windows Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

Splunk Enterprise must use organization level authentication to uniquely identify and authenticate users.

DISA Rule

SV-221601r663926_rule

Vulnerability Number

V-221601

Group Title

SRG-APP-000148-AU-002270

Rule Version

SPLK-CL-000020

Severity

CAT I

CCI(s)

• CCI-000764 - The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Weight

10

Fix Recommendation

Select Settings >> Access Controls >> Authentication method.

If using LDAP for user accounts:
Select LDAP and create an LDAP strategy with the proper settings to connect to the LDAP server.
Map the appropriate LDAP groups to the appropriate Splunk roles for proper user access.

If using SAML for user accounts:
Select SAML and create an SAML strategy with the proper settings to connect to the SAML provider.
Map the appropriate SAML groups to the appropriate Splunk roles for proper user access.

Check Contents

If the instance being checked is in a distributed environment and has the web interface disabled, this check is N/A.

Select Settings >> Access Controls >> Authentication method.

Verify that LDAP or SAML is selected.

If LDAP or SAML is not selected, this is a finding.

Vulnerability Number

V-221601

Documentable

False

Rule Version

SPLK-CL-000020

Severity Override Guidance

If the instance being checked is in a distributed environment and has the web interface disabled, this check is N/A.

Select Settings >> Access Controls >> Authentication method.

Verify that LDAP or SAML is selected.

If LDAP or SAML is not selected, this is a finding.

Check Content Reference

M

Target Key

4082

Comments