V-221932

Discussion

Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established. The DOD will only accept PKI certificates obtained from a DOD-approved internal or external certificate authority. Splunk Enterprise contains built-in certificates that are common across all Splunk installations and are for initial deployment. These should not be used in any production environment. The production certificates should be stored in another location away from the Splunk default certificates, as that folder is replaced on any upgrade of the application. An example would be to use a folder named $SPLUNK_HOME/etc/system/DODcerts under the Splunk installation root folder.

Check Content

Verify the properties of the certificates used by Splunk to ensure that the Issuer is the DOD trusted CA.

Check the following files for the certificates in use by Splunk.

This file is located on the machine used as the search head, which may be a separate machine in a distributed environment.

$SPLUNK_HOME/etc/system/local/web.conf

[settings]
serverCert = <path to the DOD approved certificate in PEM format>

This file is located on the machine used as an indexer, which may be a separate machine in a distributed environment.

$SPLUNK_HOME/etc/system/local/inputs.conf

[SSL]
serverCert = <path to the DOD approved certificate in PEM format>

This file is located on the machine used as a forwarder, which is always a separate machine regardless of environment.

$SPLUNK_HOME/etc/system/local/outputs.conf

[tcpout:group1]
clientCert = <path to the DOD approved certificate in PEM format>

Verify each certificate listed above with the following command:

openssl x509 -text -inform PEM -in <name of cert>

If the certificate issuer is not a DOD trusted CA, this is a finding.