Security

How to set maintenance mode for indexer cluster with hashed password?

leonaheidern2
Loves-to-Learn Everything

Hi all

I am having issues trying to script enabling and disabling maintenance mode with a hashed password.

The command is /opt/splunk/bin/splunk enable maintenance -mode - auth admin: somepassword

Is there a way I can hash the password. I have tried the hash-passwd and user-seed.conf but it does not seem to hash my clear text password upon restarting splunk

 

Labels (5)
0 Karma

leonaheidern2
Loves-to-Learn Everything

I actually do. It's usually because of kernel patches that's why I have to reboot. Hence was thinking of an automated way to deal with the indexer cluster and master node. Currently I am doing this manually monthly.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

So any way of authentication that can be used in such batch operation has to rely on stored authentication data. Whether it's a plaintext password, password hash, ssh key, x509 certificate, you still have to "show" something to the entity you want to authenticate yourself to. That's a common problem with all "static" authentication mechanisms. You'd have to have some completely different authentication schema to avoid the possible impersonation problem.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Even if you could, that wouldn't increase your script security. As long as you're storing authentication data which can be provided in the clear to authenticate your user, it's prone to leakage and abuse. Storing it as "hashed" value if you can authenticate yourself with this hashed value effectively makes it cleartext.

Anyway, you can use REST to put cluster in maintenance mode. https://docs.splunk.com/Documentation/Splunk/8.2.6/RESTREF/RESTcluster#cluster.2Fmanager.2Fcontrol.2...

0 Karma

leonaheidern2
Loves-to-Learn Everything

I am actually trying to do this as a shell script for yum update.

Probably schedule maintenance mode on the master node first then set hourly intervals per indexer to offline and yum update and reboot

I have enable boot start for the Splunk so technically the splunk service starts up automatically on reboot

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Typically yum update should not require stopping splunkd as such. There is almost no real important dependencies that could interfere with splunk as the packages are updated. Of course if you need to reboot to upgrade kernel or systemd (why would you want to reboot otherwise?) you want to use maintenance mode.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...