Rule ID
SV-251677r961863_rule
Version
V2R3
CCIs
Access to Splunk Enterprise for analysis, viewing, indexing functions, services, and applications, such as analysis tools and other vendor-provided applications, must be secured. Software used to perform additional functions, which resides on the server, must also be secured or could provide a vector for unauthorized access to the events repository.
Execute a search query in Splunk using the following: index=_internal source=*metrics.log* group=tcpin_connections | dedup hostname | table _time hostname sourceIp destPort ssl Verify that the report returns ssl = true for every item listed. Navigate to $SPLUNK_HOME/etc/system/local/web.conf and verify the enableSplunkWebSSL is set to 1. If the report returns ssl = false for any item, and/or If enableSplunkWebSSL is not set, this is a finding.
Edit the following files in the installation to configure Splunk to use SSL certificates: This configuration is performed on the machine used as an indexer, which may be a separate machine in a distributed environment. $SPLUNK_HOME/etc/system/local/inputs.conf [splunktcp-ssl:9997] disabled = 0 [SSL] serverCert = <path to the DoD approved certificate in PEM format> sslPassword = <password for the certificate> This configuration is performed on the machine used as a forwarder, which is always a separate machine regardless of environment. $SPLUNK_HOME/etc/system/local/outputs.conf [tcpout:group1] disabled = 0 clientCert = <path to the DoD approved certificate in PEM format> sslPassword = <password for the certificate> This configuration is performed on the machine used as a search head, which may be a separate machine in a distributed environment. Edit the following file in the installation to configure Splunk to use SSL certificates: $SPLUNK_HOME/etc/opt/system/local/web.conf [settings] enableSplunkWebSSL = 1 privKeyPath = <path to the private key generated for the DoD approved certificate> serverCert = <path to the DoD approved certificate in PEM format>