Security
Highlighted

Splunk Password Policy of admin role

Path Finder

The content of Splunk password Policy.
-- authentication.conf --
[splunk_auth]
constantLoginTime = 0.000
enablePasswordHistory = 1
expireAlertDays = 15
expirePasswordDays = 90
expireUserAccounts = 1
forceWeakPasswordChange = 1
lockoutAttempts = 5
lockoutMins = 30
lockoutThresholdMins = 5
lockoutUsers = 1
minPasswordDigit = 0
minPasswordLength = 8
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordUppercase = 0
passwordHistoryCount = 24
verboseLoginFailMsg = 1

If users miss passwords more than five times, their accounts are locked.
However, if an account with the role admin has a password that is incorrect more than 10 times, the account will not be locked.
If an account with the admin role also fails to log in more than 5 times, how do I lock my account?

0 Karma
Highlighted

Re: Splunk Password Policy of admin role

Ultra Champion

Are any of your users LDAP/SSO, or are they all using local Splunk authentication?

My understanding is that any local Splunk account will lock after 5 failed attempts (and will lock for 30 mins) even if that user has the admin role.
However that will not apply if the user is LDAP/SSO auth'd - then it is down to your LDAP/SSO environment to lock the account, not Splunk.

0 Karma
Highlighted

Re: Splunk Password Policy of admin role

Path Finder

You can modify the autorize.conf file.
Edit /splunk/etc/system/local/authorize.conf
after splunk restart

[roleadmin]
never
lockout = disabled

0 Karma

Re: Splunk Password Policy of admin role

New Member

Splunk's password policy does not lockout to the admin role by default.
To do this, add the following settings to the authorize.conf file.

$ SPLUNKHOME / system / local / authorize.conf
[role
admin]
never_lockout = disabled

0 Karma