Skip to content

Splunk Enterprise must only allow the use of DoD-approved certificate authorities for cryptographic functions.

An XCCDF Rule

Description

<VulnDiscussion>Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established. The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority. Splunk Enterprise contains built-in certificates that are common across all Splunk installations and are for initial deployment. These should not be used in any production environment. The production certificates should be stored in another location away from the Splunk default certificates, as that folder is replaced on any upgrade of the application. An example would be to use a folder named $SPLUNK_HOME/etc/system/DoDcerts under the Splunk installation root folder.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-221932r879798_rule
Severity
Medium
References
Updated



Remediation - Manual Procedure

Request a DoD-approved certificate and a copy of the DoD root CA public certificate and place the files in a location for Splunk use.

Configure the certificate files to the PEM format using the Splunk Enterprise system documentation.