Security

Need a list of all the locations of hashed password based on splunk.secret

the_wolverine
Champion

Is there a list of all possible instances of hashed passwords in Splunk that are based on the splunk.secret? I'm investigating what the effort is to get our splunk.secret in sync for existing servers that don't have matching splunk.secret.

0 Karma

the_wolverine
Champion
# grep -ri \$1\$. *

dflodstrom
Builder

care to expand on this?

0 Karma

woodcock
Esteemed Legend

This command (after you do cd $SPLUNK_HOME) will show you any file which contains a splunk-encrypted password (and a whole bunch of other binary files, *.js files and other irrelevant junk). The (properly filtered output) will show you which files WILL BREAK when you change the secret file. You then go figure out how to re-input the password for those "things". For example, many people use LDAP for authentication to get into Splunk search heads. This means that the Search Head stored credentials to access AD. This password is encrypted with the secret and stored in $SPLUNK_HOME/etc/system/local/authentication.conf as bindDNpassword. If this is the case for you, then this file will be identified by the grep command.

dflodstrom
Builder

I was looking for an explanation of the regex but your explanation of the issue is spot on. Still very useful for anyone stumbling upon this answer.

0 Karma

woodcock
Esteemed Legend

Also, please contact me (email is in my profile) and let me know how your research turned out (I am trying to do the same thing: sync splunk.secret on production system already up and running).

0 Karma

dflodstrom
Builder

I was able to accomplish this with little-to-no issues but I also wasn't doing it on a system with lots of additional hashed values.

0 Karma

woodcock
Esteemed Legend

I think that you should click Accept to close the question since the answer is a good (if terse) one.

0 Karma

dflodstrom
Builder

Ain't my question otherwise I would.

0 Karma
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...