Splunk Enterprise must use organization-level authentication to uniquely identify and authenticate users.

An XCCDF Rule

Description

<VulnDiscussion>To assure accountability and prevent unauthenticated access, organizational users must be uniquely identified and authenticated to prevent potential misuse and compromise of the system. Sharing of accounts prevents accountability and non-repudiation. Organizational users must be uniquely identified and authenticated for all accesses.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-251679r960969_rule
Severity: High
References: CCI-000764
Updated: 17 days ago

This configuration is performed on the machine used as a search head or a deployment server, which may be a separate machine in a distributed environment.

Navigate to the $SPLUNK_HOME/etc/system/local/ directory.

Edit the authentication.conf file.
If the authentication.conf file does not exist, copy the file from $SPLUNK_HOME/etc/system/default to the $SPLUNK_HOME/etc/system/local directory.

Configure minimum settings similar to the example below for using LDAP or SAML.

If using LDAP:

[authentication]
authType = LDAP
authSettings = <ldap_strategy>

[<ldap_strategy>]
host = <LDAP server>
port = <LDAP port>
sslEnabled = 1

Edit the following file in the $SPLUNK_HOME/etc/openldap folder:

ldap.conf

Configure the following lines for your certificate.

TLS_REQCERT
TLS_CACERT <path to SSL certificate>
TLS_PROTOCOL_MIN 3.3
TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-
SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-
AES128-SHA256:ECDHE-RSA-AES128-SHA256

If using SAML:

[authentication]
authType = SAML
authSettings = <saml_strategy>
[<saml_strategy>]
entityId = <saml entity>
idpSSOUrl = <saml URL>
idpCertPath = <path to certificate>

After configuring LDAP or SAML, open the Splunk Web console.

Select Settings >> Access Controls >> Users. 

Create appropriate LDAP and SAML users and groups for the environment.

Delete any user account with Authentication system set to Splunk, with the exception of one emergency account of last resort. Splunk will prevent the user from deleting an LDAP or SAML account.

Splunk Enterprise must use organization-level authentication to uniquely identify and authenticate users.

Description

Remediation - Manual Procedure