Splunk Enterprise 8.x for Linux STIG Version Comparison

There are 4 differences between versions v1 r4 (July 26, 2023) (the "left" version) and v2 r1 (July 24, 2024) (the "right" version).

Check SPLK-CL-000010 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Title

Splunk Enterprise idle session timeout must be set to not exceed 15 minutes.

Check Content

This check is performed on the machine used as a search head, which may be a separate machine in a distributed environment. If the instance being reviewed is not used as a search head, this check in N/A. Examine Not Applicable. Examine the configuration. Navigate to the $SPLUNK_HOME/etc/system/local/ directory. View the web.conf file. If the web.conf file does not exist, this is a finding. If the "tools.sessions.timeout" is missing or is configured to 16 or more, this is a finding.

Discussion

Automatic session termination after a period of inactivity addresses the potential for a malicious actor to exploit the unattended session. Closing any unattended sessions reduces the attack surface to the application. Satisfies: SRG-APP-000295-AU-000190, SRG-APP-000389-AU-000180

Fix

This configuration is performed on the machine used as a search head, which may be a separate machine in a distributed environment. If the web.conf file does not exist, copy the file from $SPLUNK_HOME/etc/system/default to the $SPLUNK_HOME/etc/system/local directory. Modify/Add the following lines in the web.conf file: tools.session.timeout = 15