Security

How to set maintenance mode for indexer cluster with hashed password?

leonaheidern2
Loves-to-Learn Everything

Hi all

I am having issues trying to script enabling and disabling maintenance mode with a hashed password.

The command is /opt/splunk/bin/splunk enable maintenance -mode - auth admin: somepassword

Is there a way I can hash the password. I have tried the hash-passwd and user-seed.conf but it does not seem to hash my clear text password upon restarting splunk

 

Labels (5)
0 Karma

leonaheidern2
Loves-to-Learn Everything

I actually do. It's usually because of kernel patches that's why I have to reboot. Hence was thinking of an automated way to deal with the indexer cluster and master node. Currently I am doing this manually monthly.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

So any way of authentication that can be used in such batch operation has to rely on stored authentication data. Whether it's a plaintext password, password hash, ssh key, x509 certificate, you still have to "show" something to the entity you want to authenticate yourself to. That's a common problem with all "static" authentication mechanisms. You'd have to have some completely different authentication schema to avoid the possible impersonation problem.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Even if you could, that wouldn't increase your script security. As long as you're storing authentication data which can be provided in the clear to authenticate your user, it's prone to leakage and abuse. Storing it as "hashed" value if you can authenticate yourself with this hashed value effectively makes it cleartext.

Anyway, you can use REST to put cluster in maintenance mode. https://docs.splunk.com/Documentation/Splunk/8.2.6/RESTREF/RESTcluster#cluster.2Fmanager.2Fcontrol.2...

0 Karma

leonaheidern2
Loves-to-Learn Everything

I am actually trying to do this as a shell script for yum update.

Probably schedule maintenance mode on the master node first then set hourly intervals per indexer to offline and yum update and reboot

I have enable boot start for the Splunk so technically the splunk service starts up automatically on reboot

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Typically yum update should not require stopping splunkd as such. There is almost no real important dependencies that could interfere with splunk as the packages are updated. Of course if you need to reboot to upgrade kernel or systemd (why would you want to reboot otherwise?) you want to use maintenance mode.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...