Splunk Enterprise must use organization level authentication to uniquely identify and authenticate users.
An XCCDF Rule
Description
<VulnDiscussion>To ensure accountability and prevent unauthenticated access, organizational users must be uniquely identified and authenticated to prevent potential misuse and compromise of the system. Sharing of accounts prevents accountability and non-repudiation. Organizational users must be uniquely identified and authenticated for all accesses. The use of an organizational level authentication mechanism provides centralized management of accounts, and provides many benefits not normally leveraged by local account mechanisms.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-221601r960969_rule
- Severity
- High
- References
- Updated
Remediation - Manual Procedure
Select Settings >> Access Controls >> Authentication method.
If using LDAP for user accounts:
Select LDAP and create an LDAP strategy with the proper settings to connect to the LDAP server.
Map the appropriate LDAP groups to the appropriate Splunk roles for proper user access.