STIGQter: STIG Summary: Splunk Enterprise 7.x for Windows Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

Splunk Enterprise must use TCP for data transmission.

DISA Rule

SV-221614r508660_rule

Vulnerability Number

V-221614

Group Title

SRG-APP-000516-AU-000340

Rule Version

SPLK-CL-000170

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Select Settings >> Data Inputs, and verify there are zero inputs configured under UDP. Remove any that exist and recreate using TCP.

It is recommended to set these settings before disabling the web UI of the instance in a distributed environment.

Check Contents

Select Settings >> Data Inputs, and verify there are zero inputs configured under UDP. Splunk supports UDP, but it is not permissible to use.

If any exist, this is a finding.

If the Web UI is disabled, open an OS command prompt and type:

netstat -a -p UDP

If a UDP connection is displayed for 0.0.0.0:514, the instance is listening for Syslog port 514 in UDP, and this is a finding.

Vulnerability Number

V-221614

Documentable

False

Rule Version

SPLK-CL-000170

Severity Override Guidance

Select Settings >> Data Inputs, and verify there are zero inputs configured under UDP. Splunk supports UDP, but it is not permissible to use.

If any exist, this is a finding.

If the Web UI is disabled, open an OS command prompt and type:

netstat -a -p UDP

If a UDP connection is displayed for 0.0.0.0:514, the instance is listening for Syslog port 514 in UDP, and this is a finding.

Check Content Reference

M

Target Key

4082

Comments