I have setup the Splunk native password policy on my company's implementation but it seems like the password expiration alert does not work as expected. Today I have many users complaining that their password has expired but did not receive, or notice any warning.
I was assuming that the 15 day alerts would be a "highlighted bar" at the top of the splunk page (fine for daily users) but for occasional users I was expecting an email. Reading over the docs I can only find information on how to set this but not any detail on what it actually does.
The alert is displayed when a user login (image above), you have to specify some parameters in the authentication.conf
(https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/Authenticationconf), to do so : declare the stanza splunk_auth
and modify the following keys :
[splunk_auth]
minPasswordLength = 8
minPasswordUppercase = 1
minPasswordLowercase = 1
minPasswordDigit = 1
minPasswordSpecial = 1
expirePasswordDays = 20
expireAlertDays = 42
expireUserAccounts = True
forceWeakPasswordChange = True
lockoutUsers = True
lockoutMins = 30
lockoutAttempts = 3
enablePasswordHistory = True
passwordHistoryCount = 5