Currently using LDAP authentication, enterprise license for splunk version 7.3.3
I know there was a similar issue in previous versions when SSO was used, and again if you were on a free license.
to meet CCI-002364, a logout message needs to be recorded. but there is no logout option. Could this be do to CAC authentication? Does anyone know if there's a workaround? Or why the logout option does not exist for users?
Hi @ndoerfler,
As mentioned in this question Logging Out of Splunk, you could change the URL to logout as workaround:
<SPLUNK_HOSTNAME>/en-US/account/logout
I have tested with SAML/SSO and It seems to work.
That would work for myself, and I could do that. But unfortunately not all users or customers that access will be as willing and end up closing the window itself which doesn't give me the logout notification. What we really need is that logout option to show. Or a technical reason as to why it doesn't show. If an auditor were to ask about the CCI, we currently don't have an answer for it.
Hi
Unfortunately splunk didn't record logout or time-out to logs unless you don't do explicit logout from gui.
Here is more about this on previous answer: https://community.splunk.com/t5/Archive/How-to-calculate-Splunk-session-for-a-user/m-p/482711
You could try to ask that they add this somehow to audit events in https://ideas.splunk.com, but as it's quite hard to define "logout/timeout" with exact time, this could be hard to get there.
r. Ismo