STIGQter: STIG Summary: Splunk Enterprise 7.x for Windows Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Splunk Enterprise 7.x for Windows Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:SV-221608r508660_rule
V-221608
SRG-APP-000439-AU-004310
SPLK-CL-000070
CAT I
10
Edit the following files in the installation to configure Splunk to use SSL certificates:
(Note that these files may exist in one of the following folders or its subfolders:
$SPLUNK_HOME/etc/apps/
$SPLUNK_HOME/etc/slave-apps/)
This configuration is performed on the machine used as an indexer, which may be a separate machine in a distributed environment.
$SPLUNK_HOME/etc/system/local/inputs.conf
[splunktcp-ssl:9997]
disabled = 0
[SSL]
serverCert = <path to the DoD approved certificate in PEM format>
sslPassword = <password for the certificate>
This configuration is performed on the machine used as a forwarder, which is always a separate machine regardless of environment.
$SPLUNK_HOME/etc/system/local/outputs.conf
[tcpout:group1]
disabled = 0
clientCert = <path to the DoD approved certificate in PEM format>
sslPassword = <password for the certificate>
Execute a search query in Splunk using the following:
index=_internal source=*metrics.log* group=tcpin_connections | dedup hostname | table _time hostname sourceIp destPort ssl
Verify that the report returns ssl = true for every item listed.
If the report returns ssl = false for any item, this is a finding.
V-221608
False
SPLK-CL-000070
Execute a search query in Splunk using the following:
index=_internal source=*metrics.log* group=tcpin_connections | dedup hostname | table _time hostname sourceIp destPort ssl
Verify that the report returns ssl = true for every item listed.
If the report returns ssl = false for any item, this is a finding.
M
4082