STIGQter: STIG Summary: Splunk Enterprise 7.x for Windows Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

Splunk Enterprise forwarders must be configured with Indexer Acknowledgement enabled.

DISA Rule

SV-221936r508660_rule

Vulnerability Number

V-221936

Group Title

SRG-APP-000516-AU-000340

Rule Version

SPLK-CL-000175

Severity

CAT III

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

If the server is not a forwarder, this check is N/A.

In the Splunk installation folder, edit the following file in the $SPLUNK_HOME/etc/system/local folder:

outputs.conf

Locate the section similar to:

[tcpout:group1]

Note that group1 may be named differently depending on how tcpout was configured.

Add the following line under the group stanza above:

useACK=true

Check Contents

If the server being reviewed is not a forwarder, this check is N/A.

In the Splunk installation folder, check the following file in the $SPLUNK_HOME/etc/system/local folder:

outputs.conf

Locate the section similar to:

[tcpout:group1]
useACK=true

Note that group1 may be named differently depending on how tcpout was configured.

If the useACK=true statement is missing or set to false, this is a finding.

Vulnerability Number

V-221936

Documentable

False

Rule Version

SPLK-CL-000175

Severity Override Guidance

If the server being reviewed is not a forwarder, this check is N/A.

In the Splunk installation folder, check the following file in the $SPLUNK_HOME/etc/system/local folder:

outputs.conf

Locate the section similar to:

[tcpout:group1]
useACK=true

Note that group1 may be named differently depending on how tcpout was configured.

If the useACK=true statement is missing or set to false, this is a finding.

Check Content Reference

M

Target Key

4082

Comments