Security

Splunk Password Policy of admin role

khyoung7410
Communicator

The content of Splunk password Policy.
-- authentication.conf --
[splunk_auth]
constantLoginTime = 0.000
enablePasswordHistory = 1
expireAlertDays = 15
expirePasswordDays = 90
expireUserAccounts = 1
forceWeakPasswordChange = 1
lockoutAttempts = 5
lockoutMins = 30
lockoutThresholdMins = 5
lockoutUsers = 1
minPasswordDigit = 0
minPasswordLength = 8
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordUppercase = 0
passwordHistoryCount = 24
verboseLoginFailMsg = 1

If users miss passwords more than five times, their accounts are locked.
However, if an account with the role admin has a password that is incorrect more than 10 times, the account will not be locked.
If an account with the admin role also fails to log in more than 5 times, how do I lock my account?

0 Karma

jhy
Observer

Splunk's password policy does not lockout to the admin role by default.
To do this, add the following settings to the authorize.conf file.

$ SPLUNK_HOME / system / local / authorize.conf
[role_admin]
never_lockout = disabled

0 Karma

nickhills
Ultra Champion

Are any of your users LDAP/SSO, or are they all using local Splunk authentication?

My understanding is that any local Splunk account will lock after 5 failed attempts (and will lock for 30 mins) even if that user has the admin role.
However that will not apply if the user is LDAP/SSO auth'd - then it is down to your LDAP/SSO environment to lock the account, not Splunk.

If my comment helps, please give it a thumbs up!
0 Karma

khyoung7410
Communicator

You can modify the autorize.conf file.
Edit /splunk/etc/system/local/authorize.conf
after splunk restart

[role_admin]
never_lockout = disabled

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...