Splunk Enterprise must use organization level authentication to uniquely identify and authenticate users.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-221601 | SPLK-CL-000020 | SV-221601r879589_rule | High |
| Description |
|---|
| To ensure accountability and prevent unauthenticated access, organizational users must be uniquely identified and authenticated to prevent potential misuse and compromise of the system. Sharing of accounts prevents accountability and non-repudiation. Organizational users must be uniquely identified and authenticated for all accesses. The use of an organizational level authentication mechanism provides centralized management of accounts, and provides many benefits not normally leveraged by local account mechanisms. |
| STIG | Date |
|---|---|
| Splunk Enterprise 7.x for Windows Security Technical Implementation Guide | 2023-06-09 |
Details
| Check Text ( C-23316r663925_chk ) |
|---|
| If the instance being checked is in a distributed environment and has the web interface disabled, this check is N/A. Select Settings >> Access Controls >> Authentication method. Verify that LDAP or SAML is selected. If LDAP or SAML is not selected, this is a finding. |
| Fix Text (F-23305r416261_fix) |
|---|
| Select Settings >> Access Controls >> Authentication method. If using LDAP for user accounts: Select LDAP and create an LDAP strategy with the proper settings to connect to the LDAP server. Map the appropriate LDAP groups to the appropriate Splunk roles for proper user access. If using SAML for user accounts: Select SAML and create an SAML strategy with the proper settings to connect to the SAML provider. Map the appropriate SAML groups to the appropriate Splunk roles for proper user access. |