11. SA-5
a. Obtain or develop administrator documentation for the system, system component, or system
service that describes:
1. Secure configuration, installation, and operation of the system, component, or service;
2. Effective use and maintenance of security and privacy functions and mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative or privileged functions;
b. Obtain or develop user documentation for the system, system component, or system service that
describes:
1. User-accessible security and privacy functions and mechanisms and how to effectively use those functions and
mechanisms;
2. Methods for user interaction, which enables individuals to use the system, component, or service in a more
secure manner and protect individual privacy; and
3. User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;
c. Document attempts to obtain system, system component, or system service documentation when
such documentation is either unavailable or nonexistent and take [Assignment: organization-defined
actions] in response; and
d. Distribute documentation to [Assignment: organization-defined personnel or roles].
21. Assumptions
What are the key assumptions of the service?
• SHs are intended to be available to multiple teams for their logs
• Users are self-service, but only comfortable using the GUI for editing dashboads or
saved searches
• Downtime tolerance for a search head is no more than two hours
• Data ingestion downtime tolerance for forwarded logs is approximately 30 minutes
• Data ingestion downtime for pulled logs (e.g. modular inputs, scripted inputs) is four
hours
• Content in user private space (not app shared) is non-production and may be safely
deleted when a user leaves the organization
22. Systems
Hostname CNAME Role CPU RAM Storage Type Notes
sec-splunk-sh01 splunk SH 72 256G /: 116G
/boot: 2G
/opt: 95G
Dell Poweredge R640 Primary SH
Asset Tag:
PC12345
sec-splunk-test0
1
SH-t
est
12 24G /: 20G
/boot:
700M
VMware VM Cluster baz
23. Systems in AWS
Hostname CNAME Role Storage Type Notes
cc01023 splunk SH /: 116G
/boot: 2G
/opt: 95G
c6i.8xl SHC
cc01026 IDX /: 20G
/opt/splunk: 15T
i3en.6xl Storage is
ephemeral
cc01043 splunk-dev SH /: 20G
/opt/splunk: 150G
t3.m Dev SH,
low CPU