Splunk Enterprise must allow only the individuals appointed by the information system security manager (ISSM) to have full admin rights to the system.

An XCCDF Rule

Description

<VulnDiscussion>Without restricting which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-251667r992040_rule
Severity: Low
References: CCI-000171 CCI-003831
Updated: 17 days ago

Provide the list of individuals assigned by the ISSM to be members of the admin role to the Splunk Enterprise administrator.

Provide the list of individuals assigned by the ISSM to be members of the admin role to the LDAP administrator to add to the LDAP group mapped to the admin role.

Create user accounts and assign the admin role for users provided in the lists.

Splunk Enterprise must allow only the individuals appointed by the information system security manager (ISSM) to have full admin rights to the system.

Description

Remediation - Manual Procedure