STIGQter: STIG Summary: Splunk Enterprise 7.x for Windows Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

Splunk Enterprise must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to be assigned to the Power User role.

DISA Rule

SV-221623r538427_rule

Vulnerability Number

V-221623

Group Title

SRG-APP-000090-AU-000070

Rule Version

SPLK-CL-000270

Severity

CAT III

CCI(s)

• CCI-000171 - The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system.

Weight

10

Fix Recommendation

Provide the list of individuals assigned by the ISSM to be members of the power user role to the LDAP/AD administrator or SAML Identity Provider administrator to add to the security group mapped to the power user role.

Check Contents

If using LDAP:
Select Settings >> Access Controls >> Authentication Method >> LDAP Settings >> Map Groups.
Obtain the group name mapped to the power user role.
Request from the LDAP administrator the group membership of this LDAP group, and compare to the list of individuals appointed by the ISSM.

If using SAML:
Select Settings >> Access Controls >> Authentication Method >> SAML Settings >> Map Groups.
Obtain the group name mapped to the power user role.
Request from the SAML administrator the group membership of this SAML group, and compare to the list of individuals appointed by the ISSM.

If users that are not defined by the ISSM as requiring elevated rights are present in the power user role membership, this is a finding.

Vulnerability Number

V-221623

Documentable

False

Rule Version

SPLK-CL-000270

Severity Override Guidance

If using LDAP:
Select Settings >> Access Controls >> Authentication Method >> LDAP Settings >> Map Groups.
Obtain the group name mapped to the power user role.
Request from the LDAP administrator the group membership of this LDAP group, and compare to the list of individuals appointed by the ISSM.

If using SAML:
Select Settings >> Access Controls >> Authentication Method >> SAML Settings >> Map Groups.
Obtain the group name mapped to the power user role.
Request from the SAML administrator the group membership of this SAML group, and compare to the list of individuals appointed by the ISSM.

If users that are not defined by the ISSM as requiring elevated rights are present in the power user role membership, this is a finding.

Check Content Reference

M

Target Key

4082

Comments