Splunk Enterprise must use organization level authentication to uniquely identify and authenticate users.

An XCCDF Rule

Description

<VulnDiscussion>To ensure accountability and prevent unauthenticated access, organizational users must be uniquely identified and authenticated to prevent potential misuse and compromise of the system. Sharing of accounts prevents accountability and non-repudiation. Organizational users must be uniquely identified and authenticated for all accesses. The use of an organizational level authentication mechanism provides centralized management of accounts, and provides many benefits not normally leveraged by local account mechanisms.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-221601r879589_rule
Severity: High
References: CCI-000764
Updated: about 1 year ago

Select Settings >> Access Controls >> Authentication method.

If using LDAP for user accounts:
Select LDAP and create an LDAP strategy with the proper settings to connect to the LDAP server.
Map the appropriate LDAP groups to the appropriate Splunk roles for proper user access.
If using SAML for user accounts:
Select SAML and create an SAML strategy with the proper settings to connect to the SAML provider.
Map the appropriate SAML groups to the appropriate Splunk roles for proper user access.

Splunk Enterprise must use organization level authentication to uniquely identify and authenticate users.

Description

Remediation - Manual Procedure