Hello
Im working on a new script to install Splunk via bash. before accepting the license and starting Splunk, with no prompt and answering yes, Im creating the user-seed.conf file in system/local
#create admin account
cd /opt/splunk/etc/system/local/
touch user-seed.conf
echo "[user_info]" >> user-seed.conf
echo "USERNAME = admin" >> user-seed.conf
echo "HASHED_PASSWORD = <hased pass>" >> user-seed.conf
However after
'/opt/splunk/bin/splunk start --accept-license --answer-yes --no-prompt'
and going back and trying to find user-seed.conf it no longer exists. Im also removing any file etc/passwd before starting. When Splunk starts with the hashed pass in user-seed.conf does that file disappear or get moved?
Maybe Im going about this the wrong way? Better way to do this?
Thanks for the thoughts!
Todd
Since you are starting Splunk for the first time it's not going to honor your value for the HASHED_PASSWORD parameter. Use PASSWORD instead and Splunk will hash it for you.
You can also use this syntax in your start command (though it does leave it behind in the command history), "admin" is the default admin user:
splunk start --accept-license --answer-yes --no-prompt --seed-passwd <your password>
If you use the user-seed.conf method (with PASSWORD) be sure the directory/file are owned by the user/group that you are running Splunk as.
The only problem I see is that user-seed.conf no longer exists once I start Splunk the first time AND when I look at passwd it does not contain any of the info I put in user-seed.conf so I dont know how to verify the password is actually set as I wanted it to be.
Any ideas how I can verify that? "validate-passwd" doesnt seem to tell me what I need to know.
Thanks as always
Todd
This works on our ansible scripts https://docs.splunk.com/Documentation/Splunk/8.2.1/Security/Secureyouradminaccount
And as it was said earlier splunk remove that user-seed.conf file after successful start. You could test it e.g. by
splunk list tcp
and give the user and it's password. If it works it give you an answer for that query.
r. Ismo
How do you implement this using ansible playbook? I'm also stuck with this process of accepting the license in Splunk. I'm using user-seed.conf but it couldn't access the src path since I'm using gitlab as my repository.
I have it this way (thanks splunk/ansible-splunk)
- name: Set admin access via seed
when: splunk_first_run | bool
block:
- name: "Hash the password"
command: "{{ splunk.exec }} hash-passwd {{ splunk.password }}"
register: hashed_pwd
changed_when: hashed_pwd.rc == 0
become: yes
become_user: "{{ splunk.user }}"
no_log: "{{ hide_password }}"
- name: "Generate user-seed.conf (Linux)"
ini_file:
owner: "{{ splunk.user }}"
group: "{{ splunk.group }}"
dest: "{{ splunk.home }}/etc/system/local/user-seed.conf"
section: user_info
option: "{{ item.opt }}"
value: "{{ item.val }}"
mode: 0644
with_items:
- {opt: 'USERNAME', val: '{{ splunk.admin_user }}'}
- {opt: 'HASHED_PASSWORD', val: '{{ hashed_pwd.stdout }}'}
loop_control:
label: "{{ item.opt }}"
when: ansible_system is match("Linux")
become: yes
become_user: "{{ splunk.user }}"
no_log: "{{ hide_password }}"
Then those user + pass information is in config file which are per environment etc. on git. All those secrets are saved by ansible-vault, so there is no passwords as plain text on your repository/inventory. You could have as many config files as you are needing. Usually one or more per environment and customer.
If it returns nothing then your password meets requirements. Otherwise it will return an ERROR.
e.g...
splunk validate-passwd '$6$m84'
ERROR: Password did not meet complexity requirements. Password must contain at least:
* 8 total printable ASCII character(s).
The un-hashed password returns nothing which I think means it works?
I tried the hashed password but it errors but I think it probably should right?
If your hashed password threw errors then it either does not meet complexity requirements or you need to enclose it within tick marks.
I thought that might happen. My goal is to NOT use a clear-text password but Ive been having a bit-o-trouble getting that lined out. Any thoughts on how that might be achieved?
Thanks all for the assistance!
You can use a hashed password, it just needs to be hashed by Splunk. It can't be a random string you create.
This obviously means you need to have Splunk up and running (somewhere) but here is the command:
splunk hash-passwd <plaintext password>
You should be able to execute that on an unrelated node running the same Splunk version and be fine.
I did do that, the hashed pass I used in the script is the hashed password I created from the password I wanted to use. I didn't create a random hash. It doesnt appear to update passwd though so Im not sure it actually works.
There is also a validate-passwd function you can use after hashing.
More info here: https://docs.splunk.com/Documentation/Splunk/8.2.1/Security/Secureyouradminaccount
Hi @tkw03,
This is normal behaviour. passwd file is updated with your hashed password and users-seed.conf file is deleted.
I think you are able to login with the new password.