Installation

Scripting admin credentials in scripted install

tkw03
Communicator

Hello

Im working on a new script to install Splunk via bash. before accepting the license and starting Splunk, with no prompt and answering yes, Im creating the user-seed.conf file in system/local

 

#create admin account
cd /opt/splunk/etc/system/local/
touch user-seed.conf
echo "[user_info]" >> user-seed.conf
echo "USERNAME = admin" >> user-seed.conf
echo "HASHED_PASSWORD = <hased pass>" >> user-seed.conf

 

However after 

 

'/opt/splunk/bin/splunk start --accept-license --answer-yes --no-prompt'

 

and going back and trying to find user-seed.conf it no longer exists. Im also removing any file etc/passwd before starting. When Splunk starts with the hashed pass in user-seed.conf does that file disappear or get moved?

Maybe Im going about this the wrong way? Better way to do this?

Thanks for the thoughts!

Todd

Labels (2)
0 Karma

codebuilder
Influencer

Since you are starting Splunk for the first time it's not going to honor your value for the HASHED_PASSWORD parameter. Use PASSWORD instead and Splunk will hash it for you.

You can also use this syntax in your start command (though it does leave it behind in the command history), "admin" is the default admin user:
splunk start --accept-license --answer-yes --no-prompt --seed-passwd <your password>

If you use the user-seed.conf method (with PASSWORD) be sure the directory/file are owned by the user/group that you are running Splunk as.

----
An upvote would be appreciated and Accept Solution if it helps!

isoutamo
SplunkTrust
SplunkTrust
Splunk honor your HASHED_PASSWORD in user-seed.conf if you have done it as you later on said with command "splunk hash-password" and add it to this file. You must do this before starting it in first time.

tkw03
Communicator

The only problem I see is that user-seed.conf no longer exists once I start Splunk the first time AND when I look at passwd it does not contain any of the info I put in user-seed.conf so I dont know how to verify the password is actually set as I wanted it to be.

 

Any ideas how I can verify that? "validate-passwd" doesnt seem to tell me what I need to know.

 

Thanks as always

Todd

0 Karma

isoutamo
SplunkTrust
SplunkTrust

This works on our ansible scripts https://docs.splunk.com/Documentation/Splunk/8.2.1/Security/Secureyouradminaccount

And as it was said earlier splunk remove that user-seed.conf file after successful start. You could test it e.g. by 

splunk list tcp

  and give the user and it's password. If it works it give you an answer for that query.

r. Ismo

samyversonco
Loves-to-Learn Lots

How do you implement this using ansible playbook? I'm also stuck with this process of accepting the license in Splunk. I'm using user-seed.conf but it couldn't access the src path since I'm using gitlab as my repository. 

nameGenerate Splunk Seed Password
  ansible.builtin.set_fact:
    splunk_seed_passwd"{{ 'password' | password_hash('sha512') }}"
  registerhashed_pwd
  whensplunk_agent_status.rc != 0

nameCreate user-seed.conf file
  ansible.builtin.template:
    dest/opt/splunkforwarder/etc/system/local/user-seed.conf
    ownerroot
    grouproot
    mode0640
    option"{{ item.opt }}"
    value"{{ item.val }}"
  with_items:
  - {opt'USERNAME'val'admin'}
  - {opt'HASHED_PASSWORD'val'{{ hashed_pwd}}'}
  becometrue
  whensplunk_agent_status.rc != 0
0 Karma

isoutamo
SplunkTrust
SplunkTrust

I have it this way (thanks splunk/ansible-splunk)

- name: Set admin access via seed
  when: splunk_first_run | bool
  block:

    - name: "Hash the password"
      command: "{{ splunk.exec }} hash-passwd {{ splunk.password }}"
      register: hashed_pwd
      changed_when: hashed_pwd.rc == 0
      become: yes
      become_user: "{{ splunk.user }}"
      no_log: "{{ hide_password }}"

    - name: "Generate user-seed.conf (Linux)"
      ini_file:
        owner: "{{ splunk.user }}"
        group: "{{ splunk.group }}"
        dest: "{{ splunk.home }}/etc/system/local/user-seed.conf"
        section: user_info
        option: "{{ item.opt }}"
        value: "{{ item.val }}"
        mode: 0644
      with_items:
        - {opt: 'USERNAME', val: '{{ splunk.admin_user }}'}
        - {opt: 'HASHED_PASSWORD', val: '{{ hashed_pwd.stdout }}'}
      loop_control:
        label: "{{ item.opt }}"
      when: ansible_system is match("Linux")
      become: yes
      become_user: "{{ splunk.user }}"
      no_log: "{{ hide_password }}"

 Then those user + pass information is in config file which are per environment etc. on git. All those secrets are saved by ansible-vault, so there is no passwords as plain text on your repository/inventory. You could have as many config files as you are needing. Usually one or more per environment and customer.

0 Karma

codebuilder
Influencer

If it returns nothing then your password meets requirements. Otherwise it will return an ERROR.

e.g...

splunk validate-passwd '$6$m84'
ERROR: Password did not meet complexity requirements. Password must contain at least:
* 8 total printable ASCII character(s).

----
An upvote would be appreciated and Accept Solution if it helps!

tkw03
Communicator

The un-hashed password returns nothing which I think means it works?
I tried the hashed password but it errors but I think it probably should right? 

0 Karma

codebuilder
Influencer

If your hashed password threw errors then it either does not meet complexity requirements or you need to enclose it within tick marks.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

tkw03
Communicator

I thought that might happen. My goal is to NOT use a clear-text password but Ive been having a bit-o-trouble getting that lined out. Any thoughts on how that might be achieved?

 

Thanks all for the assistance!

0 Karma

codebuilder
Influencer

You can use a hashed password, it just needs to be hashed by Splunk. It can't be a random string you create.
This obviously means you need to have Splunk up and running (somewhere) but here is the command:

splunk hash-passwd <plaintext password>


You should be able to execute that on an unrelated node running the same Splunk version and be fine.

----
An upvote would be appreciated and Accept Solution if it helps!

tkw03
Communicator

I did do that, the hashed pass I used in the script is the hashed password I created from the password I wanted to use. I didn't create a random hash. It doesnt appear to update passwd though so Im not sure it actually works.

0 Karma

codebuilder
Influencer

There is also a validate-passwd function you can use after hashing.

More info here: https://docs.splunk.com/Documentation/Splunk/8.2.1/Security/Secureyouradminaccount

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @tkw03,

This is normal behaviour. passwd file is updated with your hashed password and users-seed.conf file is deleted.

I think you are able to login with the new password.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...