STIGQter: STIG Summary: Splunk Enterprise 7.x for Windows Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

Splunk Enterprise must only allow the use of DoD-approved certificate authorities for cryptographic functions.

DISA Rule

SV-221932r508660_rule

Vulnerability Number

V-221932

Group Title

SRG-APP-000427-AU-000040

Rule Version

SPLK-CL-000040

Severity

CAT II

CCI(s)

• CCI-002470 - The information system only allows the use of organization-defined certificate authorities for verification of the establishment of protected sessions.

Weight

10

Fix Recommendation

Request a DoD-approved certificate and a copy of the DoD root CA public certificate and place the files in a location for Splunk use.

Configure the certificate files to the PEM format using the Splunk Enterprise system documentation.

Check Contents

Verify the properties of the certificates used by Splunk to ensure that the Issuer is the DoD trusted CA.

Check the following files for the certificates in use by Splunk.

This file is located on the machine used as the search head, which may be a separate machine in a distributed environment.

$SPLUNK_HOME/etc/system/local/web.conf

[settings]
serverCert = <path to the DoD approved certificate in PEM format>

This file is located on the machine used as an indexer, which may be a separate machine in a distributed environment.

$SPLUNK_HOME/etc/system/local/inputs.conf

[SSL]
serverCert = <path to the DoD approved certificate in PEM format>

This file is located on the machine used as a forwarder, which is always a separate machine regardless of environment.

$SPLUNK_HOME/etc/system/local/outputs.conf

[tcpout:group1]
clientCert = <path to the DoD approved certificate in PEM format>

Verify each certificate listed above with the following command:

openssl x509 -text -inform PEM -in <name of cert>

If the certificate issuer is not a DoD trusted CA, this is a finding.

Vulnerability Number

V-221932

Documentable

False

Rule Version

SPLK-CL-000040

Severity Override Guidance

Verify the properties of the certificates used by Splunk to ensure that the Issuer is the DoD trusted CA.

Check the following files for the certificates in use by Splunk.

This file is located on the machine used as the search head, which may be a separate machine in a distributed environment.

$SPLUNK_HOME/etc/system/local/web.conf

[settings]
serverCert = <path to the DoD approved certificate in PEM format>

This file is located on the machine used as an indexer, which may be a separate machine in a distributed environment.

$SPLUNK_HOME/etc/system/local/inputs.conf

[SSL]
serverCert = <path to the DoD approved certificate in PEM format>

This file is located on the machine used as a forwarder, which is always a separate machine regardless of environment.

$SPLUNK_HOME/etc/system/local/outputs.conf

[tcpout:group1]
clientCert = <path to the DoD approved certificate in PEM format>

Verify each certificate listed above with the following command:

openssl x509 -text -inform PEM -in <name of cert>

If the certificate issuer is not a DoD trusted CA, this is a finding.

Check Content Reference

M

Target Key

4082

Comments