When Splunk Enterprise is distributed over multiple servers, each server must be configured to disable non-essential capabilities.

An XCCDF Rule

Description

<VulnDiscussion>Applications are capable of providing a wide variety of functions and services. Some of the functions and services may not be necessary to support the configuration. This becomes more of an issue in distributed environments, where the application functions are spread out over multiple servers. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-251678r960963_rule
Severity: Medium
References: CCI-000381
Updated: 17 days ago

If the Splunk Installation is not distributed among multiple servers, this fix is N/A.

Select Settings >> Monitoring Console.

In the Monitoring Console, select Settings >> General Setup.
Set the Mode type based on the implementation design.

If Mode is set to Distributed, set each instance only with the server roles necessary for the desired functions.

When Splunk Enterprise is distributed over multiple servers, each server must be configured to disable non-essential capabilities.

Description

Remediation - Manual Procedure