Security

Splunk Password Policy of admin role

khyoung7410
Communicator

The content of Splunk password Policy.
-- authentication.conf --
[splunk_auth]
constantLoginTime = 0.000
enablePasswordHistory = 1
expireAlertDays = 15
expirePasswordDays = 90
expireUserAccounts = 1
forceWeakPasswordChange = 1
lockoutAttempts = 5
lockoutMins = 30
lockoutThresholdMins = 5
lockoutUsers = 1
minPasswordDigit = 0
minPasswordLength = 8
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordUppercase = 0
passwordHistoryCount = 24
verboseLoginFailMsg = 1

If users miss passwords more than five times, their accounts are locked.
However, if an account with the role admin has a password that is incorrect more than 10 times, the account will not be locked.
If an account with the admin role also fails to log in more than 5 times, how do I lock my account?

0 Karma

jhy
Observer

Splunk's password policy does not lockout to the admin role by default.
To do this, add the following settings to the authorize.conf file.

$ SPLUNK_HOME / system / local / authorize.conf
[role_admin]
never_lockout = disabled

0 Karma

nickhills
Ultra Champion

Are any of your users LDAP/SSO, or are they all using local Splunk authentication?

My understanding is that any local Splunk account will lock after 5 failed attempts (and will lock for 30 mins) even if that user has the admin role.
However that will not apply if the user is LDAP/SSO auth'd - then it is down to your LDAP/SSO environment to lock the account, not Splunk.

If my comment helps, please give it a thumbs up!
0 Karma

khyoung7410
Communicator

You can modify the autorize.conf file.
Edit /splunk/etc/system/local/authorize.conf
after splunk restart

[role_admin]
never_lockout = disabled

0 Karma
Get Updates on the Splunk Community!

Customer Experience | Splunk 2024: New Onboarding Resources

In 2023, we were routinely reminded that the digital world is ever-evolving and susceptible to new ...

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

Today and every day, Splunk celebrates the importance of customer experience throughout our product, ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...