Security

User accounts

marg224
New Member

I've tried to research this issue on my own, but, to no avail and I'm I'm at my wits end.

Every so often, all my user accounts, with the exception of Admin, disappear. I'm admin and I am not deleting them. Most of the users have power user role, or, just plain user.

If anyone has any ideas I'd appreciate it greatly.

Thanks in advance.

M

Tags (1)
0 Karma
1 Solution

bosburn_splunk
Splunk Employee
Splunk Employee

I'm assuming you have an enterprise license.

That being said, make sure that the $SPLUNK_HOME/etc/passwd is readable by the user running Splunk.

View solution in original post

0 Karma

marg224
New Member

Found the answer myself...seems someone else was resetting the admin password, BUT not saving off the users files, so, that when the new admin password was used, there were no user accounts. Solved by copying the .ini file, and, restoring it when the admin password was reset. Did not find this solution listed anywhere or in the documents. It would have been nice to know. Anyway, such as it is, it's no longer a mystery and thanks to all who offered up answers!

0 Karma

walker_liu
Explorer

Hi, could I know the exactly filename you copy and restore? Because I only saw user.ini but it's empty before/after I reset admin password.

0 Karma

bosburn_splunk
Splunk Employee
Splunk Employee

I'm assuming you have an enterprise license.

That being said, make sure that the $SPLUNK_HOME/etc/passwd is readable by the user running Splunk.

0 Karma

marg224
New Member

bosburn_splunk; thanks. I checked and yes, $Splunk_HOME/etc/passwd is readable by the user running Splunk (root) on our Enterprize install. Anything else you can suggest? Thanks so much.

0 Karma

marg224
New Member

Thanks somesoni2 - I ran the query you suggested to no avail. Any other suggestions?

Thanks to all in advance.

M.

0 Karma

somesoni2
Revered Legend

Try running this query which provides list of deleted users, along with who deleted it. See if it helps in your investigation.

index=_internal sourcetype=splunkd_access uri_path="*authentication/users*"
method="DELETE" | rename file as user_deleted user as deleted_by, _time as time_deleted | table user_deleted, time_deleted, deleted_by

somesoni2
Revered Legend

Hope you're running with proper timeframe selected. Also, check the content of following file. splunk/etc/passwd. This file contains all the user information. Check if there is any program/script deleting this file.

0 Karma

marg224
New Member

Thanks somesoni2 - I ran the query you suggested to no avail. Any other suggestions?Thanks to all in advance.M.

0 Karma

marg224
New Member

I'm using Splunk 5.05.

Not using LDAP.

Solaris 10 OS.

I'm the only one with admin access, all other users have power.

I'm the only one with root access.

Thanks!

0 Karma

bosburn_splunk
Splunk Employee
Splunk Employee

Can you provide a little more information? Are you using LDAP or the Splunk authentication? What Version of Splunk? What OS?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...