STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Splunk Enterprise 8.x for Linux Security Technical Implementation Guide

Version

V2R3

Benchmark ID

Splunk_Enterprise_8-x_for_Linux_STIG

Total Checks

37

Tags

linux

CAT I: 6CAT II: 15CAT III: 16

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (37)

V-251657MEDIUMSplunk Enterprise idle session timeout must be set to not exceed 15 minutes.V-251658LOWSplunk Enterprise must notify the system administrator (SA) and information system security officer (ISSO) when account events are received (creation, deletion, modification, or disabling).V-251659MEDIUMSplunk Enterprise must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.V-251660MEDIUMSplunk Enterprise must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.V-251661LOWSplunk Enterprise must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the server.V-251662MEDIUMSplunk Enterprise must be configured to protect the log data stored in the indexes from alteration.V-251663LOWSplunk Enterprise must be configured to aggregate log records from organization-defined devices and hosts within its scope of coverage.V-251664MEDIUMIn a distributed environment, Splunk Enterprise indexers must be configured to ingest log records from its forwarders.V-251665LOWThe System Administrator (SA) and Information System Security Manager (ISSM) must configure the retention of the log records based on the defined security plan.V-251666MEDIUMSplunk Enterprise must be configured to retain the DoD-defined attributes of the log records sent by the devices and hosts.V-251667LOWSplunk Enterprise must allow only the individuals appointed by the information system security manager (ISSM) to have full admin rights to the system.V-251668MEDIUMSplunk Enterprise must be configured to offload log records onto a different system or media than the system being audited.V-251669LOWSplunk Enterprise must be configured to send an immediate alert to the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated log record storage volume reaches 75 percent of the repository maximum log record storage capacity.V-251670LOWSplunk Enterprise must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) of all audit failure events, such as loss of communications with hosts and devices, or if log records are no longer being received.V-251671LOWSplunk Enterprise must notify the System Administrator (SA) or Information System Security Officer (ISSO) if communication with the host and devices within its scope of coverage is lost.V-251672MEDIUMSplunk Enterprise installation directories must be secured.V-251673LOWSplunk Enterprise must be configured to back up the log records repository at least every seven days onto a different system or system component other than the system or component being audited.V-251674MEDIUMSplunk Enterprise must be configured to retain the identity of the original source host or device where the event occurred as part of the log record.V-251675MEDIUMSplunk Enterprise must use TCP for data transmission.V-251676MEDIUMSplunk Enterprise must be configured with a report to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.V-251677MEDIUMAnalysis, viewing, and indexing functions, services, and applications used as part of Splunk Enterprise must be configured to comply with DoD-trusted path and access requirements.V-251678MEDIUMWhen Splunk Enterprise is distributed over multiple servers, each server must be configured to disable non-essential capabilities.V-251679HIGHSplunk Enterprise must use organization-level authentication to uniquely identify and authenticate users.V-251680MEDIUMSplunk Enterprise must use HTTPS/SSL for access to the user interface.V-251681LOWSplunk Enterprise must be configured to enforce password complexity by requiring that at least one uppercase character be used.V-251682LOWSplunk Enterprise must be configured to enforce password complexity by requiring that at least one lowercase character be used.V-251683LOWSplunk Enterprise must be configured to enforce password complexity by requiring that at least one numeric character be used.V-251684LOWSplunk Enterprise must be configured to enforce a minimum 15-character password length.V-251685LOWSplunk Enterprise must be configured to enforce password complexity by requiring that at least one special character be used.V-251686HIGHSplunk Enterprise must be installed in FIPS mode to implement NIST FIPS-approved cryptography for all cryptographic functions.V-251687LOWSplunk Enterprise must be configured to enforce a 60-day maximum password lifetime restriction.V-251688LOWSplunk Enterprise must be configured to prohibit password reuse for a minimum of five generations.V-251689HIGHSplunk Enterprise must use TLS 1.2 and SHA-2 or higher cryptographic algorithms.V-251690MEDIUMSplunk Enterprise must only allow the use of DOD-approved certificate authorities for cryptographic functions.V-251691HIGHSplunk Enterprise must be configured to protect the confidentiality and integrity of transmitted information.V-251692HIGHSplunk Enterprise must accept the DOD CAC or other PKI credential for identity management and personal authentication.V-274465HIGHSplunk Enterprise must use a version supported by the vendor.