STIGQter: STIG Summary: Splunk Enterprise 7.x for Windows Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

Splunk Enterprise must have all local user accounts removed after implementing organizational level user management system, except for one emergency account of last resort.

DISA Rule

SV-221602r508660_rule

Vulnerability Number

V-221602

Group Title

SRG-APP-000148-AU-002270

Rule Version

SPLK-CL-000030

Severity

CAT I

CCI(s)

• CCI-000764 - The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Weight

10

Fix Recommendation

Select Settings >> Access Controls >> Users.

Delete any user account with Authentication system set to Splunk, with the exception of one emergency account of last resort. Splunk will prevent the user from deleting an LDAP account.

Check Contents

Select Settings >> Access Controls >> Users.

Verify that no user accounts exist with Authentication system set to Splunk except an account of last resort. They should all be set to LDAP or SAML.

If any user accounts have Authentication system set to Splunk, with the exception of one emergency account of last resort, this is a finding.

Vulnerability Number

V-221602

Documentable

False

Rule Version

SPLK-CL-000030

Severity Override Guidance

Select Settings >> Access Controls >> Users.

Verify that no user accounts exist with Authentication system set to Splunk except an account of last resort. They should all be set to LDAP or SAML.

If any user accounts have Authentication system set to Splunk, with the exception of one emergency account of last resort, this is a finding.

Check Content Reference

M

Target Key

4082

Comments