| CARVIEW |
Securing Splunk Enterprise
- Install Splunk Enterprise securely
- Create secure administrator credentials
- About TLS encryption and cipher suites
- Securing Splunk Enterprise with FIPS
- About default certificate authentication
- Harden the Splunk Enterprise installation directory on Windows
- Secure Splunk Enterprise on your network
- Disable unnecessary Splunk Enterprise components
- Secure Splunk Enterprise service accounts
- Deploy secure passwords across multiple servers
- Harden the network port that App Key Value Store uses
- Some best practices for your servers and operating system
- Password best practices for administrators
- Configure Splunk password policies
- Configure a Splunk Enterprise password policy using the Authentication.conf configuration file
- Password best practices for users
- Unlock a user account
- Change a user password
- Manage out-of-sync passwords in a search head cluster
- Use access control to secure Splunk data
- About user authentication
- About configuring role-based user access
- Define roles on the Splunk platform with capabilities
- Add and edit users
- Create and manage roles with Splunk Web
- Add and edit roles with authorize.conf
- Configure access to manager consoles and apps in Splunk Enterprise
- Find existing users and roles
- Delete all user accounts on Splunk Enterprise
- Secure access for Splunk knowledge objects
- Use network access control lists to protect your deployment
- Set up user authentication with LDAP
- Manage Splunk user roles with LDAP
- LDAP prerequisites and considerations
- Secure LDAP authentication with transport layer security (TLS) certificates
- How the Splunk platform works with multiple LDAP servers for authentication
- Configure LDAP with Splunk Web
- Map LDAP groups to Splunk roles in Splunk Web
- Configure LDAP using configuration files
- Map LDAP groups and users to Splunk roles using configuration files
- Test your LDAP configuration on Splunk Enterprise
- Change authentication schemes from native to LDAP on Splunk Enterprise
- Remove an LDAP user safely on Splunk Enterprise
- About multifactor authentication with Duo Security
- Configure Splunk Enterprise to use Duo Security multifactor authentication
- Configure Duo multifactor authentication for Splunk Enterprise in the configuration file
- About multifactor authentication with RSA Authentication Manager
- Configure RSA authentication from Splunk Web
- Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication via the REST endpoint
- Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication in the configuration file
- User experience when logging into a Splunk instance configured with RSA multifactor authentication
- Configure single sign-on with SAML
- Configure SSO with PingIdentity as your SAML identity provider
- Configure SSO with Okta as your identity provider
- Configure SSO with Microsoft Azure AD or AD FS as your Identity Provider
- Configure SSO with OneLogin as your identity provider
- Configure SSO with Optimal as your identity provider
- Configure SSO in Computer Associates (CA) SiteMinder
- Secure SSO with TLS certificates
- Configuring SAML in a search head cluster
- Configure Ping Identity with leaf or intermediate SSL certificate chains
- Configure SAML SSO for other IdPs
- Configure authentication extensions for SAML tokens
- Configure advanced settings for SSO
- Map groups on a SAML identity provider to Splunk roles
- Modify or remove role mappings
- Configure SAML SSO in the configuration files
- Best practices for using SAML as an authentication scheme for single-sign on
- Troubleshoot SAML SSO
- About securing inter-Splunk communication
- Configure secure communications between Splunk instances with updated cipher suite and message authentication code
- Securing distributed search heads and peers
- Secure deployment servers and clients using certificate authentication
- Secure Splunk Enterprise services with pass4SymmKey
- Silent Install of UF in Linux Client Machines
- Splunk Enterprise Security 4.x app questions
- Splunk user password restore
- Trouble installing Splunk Universal forwarder usin...
- Having issues when manually upgrading from Splunk ...
- How to configure Phantom to use LDAP/Active Direct...
- javaagent do not show any business transaction
- EUM stops logging virtual pages when we upgraded t...
- Run Adaptive Response & Azure SAML's Lack of AQR
- Not able to see EUM Browser Data for configured Ap...
Create secure administrator credentials
When you install Splunk Enterprise, you must create a username and password for the administrator account. Your Splunk Enterprise instance isn't accessible without this account.
You have the option of creating this account as part of running the Splunk Enterprise installer. This is the fastest way to create these necessary credentials when you install Splunk Enterprise. The installer lets you specify command line arguments that let you create the credentials. If you do not specify these arguments when you run the installer, it prompts you to create a username and a password later in the installation process.
If you upgrade from an older version of Splunk Enterprise, the installer uses existing administrator credentials and doesn't ask you to create new ones.
Create administrator credentials after you install Splunk Enterprise
The Splunk Enterprise installer needs action from you to create administrator credentials. You must do one of the following:
- Provide credentials as command-line arguments to the installer when you run the installer
- Supply the password in a configuration file that the installer can read during the installation process
- Answer the prompts during the installation process when they appear
If you do not create the password during the installation process using one of these methods, it's possible to end up with a temporarily unusable instance. This can happen, for example, if you use the --no-prompt Splunk CLI argument for starting a Splunk Enterprise installation and at the same time do not provide an administrator password in the user-seed.conf configuration file inside the installation. In this case, the installer doesn't prompt you to create an administrator account, and since you did not specify a password, the installer succeeds in installing the software, but does not create the administrator credentials.
In this case, you must create the administrator credentials manually for the instance to be accessible again.
If you installed Splunk Enterprise and did not create the administrator credentials, you can use one of the following methods to create the credentials. All of these methods require physical access to the machine that runs the instance.
Create administrator credentials with the user-seed.conf configuration file
You can create administrator credentials using the user-seed.conf configuration file. This is currently the most secure method to create administrative credentials. Other methods can introduce security risks, mainly around access to command line history or process output.
- Edit the
$SPLUNK_HOME/etc/system/local/user-seed.conffile as follows:[user_info] USERNAME = admin PASSWORD = <your password>
- Restart Splunk Enterprise.
Create administrator credentials using the REST API
You can create credentials using the splunkd rest --noauth command. This method is a potential security risk unless you immediately delete the command line history after you run the command. This is because the password appears in plain text in the command line history.
You must restart Splunk Enterprise after using splunkd REST commands.
$ splunk cmd splunkd rest --noauth POST /services/authentication/users "name=admin&password=<your password>&roles=admin"
Create admin credentials using the --seed-passwd or --gen-and-print-passwd CLI arguments
You can use the --seed-passwd or --gen-and-print-passwd CLI arguments to create administrator credentials. This method of is a potential security risk because the password appears in the command line history, process output (ps aux), and other items. Deleting the command line history can reduce this potential risk.
- Create a password when you start Splunk Enterprise with the
--seed-passwdargument:
splunk start --accept-license --answer-yes --no-prompt --seed-passwd <your password>
- Generate a random password and print the random password immediately:
splunk start --accept-license --answer-yes --no-prompt --gen-and-print-passwd
Create administrator credentials for automated installations with the 'hash-passwd' CLI command
You can use this method in automated installations where you save and distribute the user-seed.conf file to other instances. In most cases, you place the user-seed.conf file in the $SPLUNK_HOME/etc/system/local directory on these instances.
This method is potentially a security risk because the password appears in plain text in the command line history. Deleting the the command line history after you complete the procedure can reduce this risk.
- Create a hash from a plain-text password.
splunk hash-passwd <plaintext password>
- Copy the password hash that the command generates.
- Using a text editor, open the $SPLUNK_HOME/etc/system/local/user-seed.conf for editing.
- Place the password hash into the
user-seed.conffile. For example:$ splunk hash-passwd <your password> $6$hf3syG/qxy6REoBp...
You can then safely write the output of the hash-passwd command into the
user-seed.confconfiguration file.For example:
[user_info] USERNAME = admin HASHED_PASSWORD = $6$hf3syG/qxy6REoBp...
- Save the file and close it.
- Restart the Splunk Enterprise instance.
Validate a password
To validate a password and confirm that it conforms to the password complexity requirements, you can use the splunk validate-passwd CLI command.
For example:
splunk validate-passwd <your password> cat passwd.txt | splunk validate-passwd - $ splunk validate-passwd weakpas ERROR: Password did not meet complexity requirements. Password must contain at least: * 8 total printable ASCII character(s).
Reset credentials
If you lose or forget administrator credentials, you can reset the password. You must be able to write to the underlying password file ($SPLUNK_HOME/etc/passwd). You must restart Splunk Enterprise after making this change.
splunk cmd splunkd rest --noauth POST /services/admin/users/admin "password=<your password>"
Delete the command line history after you run this command.
| Install Splunk Enterprise securely | About TLS encryption and cipher suites |
This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2
Comments
Download manual
Create secure administrator credentials
-
Create administrator credentials after you install Splunk Enterprise
- Create administrator credentials with the user-seed.conf configuration file
- Create administrator credentials using the REST API
- Create admin credentials using the --seed-passwd or --gen-and-print-passwd CLI arguments
- Create administrator credentials for automated installations with the 'hash-passwd' CLI command
- Validate a password
- Reset credentials
You must be logged into splunk.com in order to post comments. Log in now.
Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.
Your Comment Has Been Posted Above
Feedback submitted, thanks!