Security

Why is a number getting appended to each line when making changes to password file in Splunk 7?

Splunk Employee
Splunk Employee

We’ve started testing Splunk 7 and I noticed that when I make changes to the splunk/etc/passwd file and restart splunkd, a number is getting appended to the line each time. ie.

:admin:$6$J5am*::Administrator:admin:changeme@example.com::

becomes

:admin:$6$J5am*::Administrator:admin:changeme@example.com::17954

Where is that number coming from?

0 Karma
1 Solution

Splunk Employee
Splunk Employee

That number 17954 is actually an internal timestamp we use for the password creation date so it’s automatically generated.
It’s used for triggering password expiration if that option is enabled by going to Settings > Access Controls > Password Policy Management > Expiration.

View solution in original post

New Member

Ahoy, @svishnevskaya_splunk! Sure could use an understanding of how the expiry number is generated. I'd like to incorporate it into some Puppet modules I'm building for our new splunk> cluster.

0 Karma

New Member

@svishnevskaya_splunk Can you explain how the number is generated? I'd like to replicate it so splunk and my configuration management system aren't fighting each other.

0 Karma

Splunk Employee
Splunk Employee

That number 17954 is actually an internal timestamp we use for the password creation date so it’s automatically generated.
It’s used for triggering password expiration if that option is enabled by going to Settings > Access Controls > Password Policy Management > Expiration.

View solution in original post

New Member

So, today's number is 17998.

That's the number of days since the Unix Epoch (1 Jan 1970 00:00:00 UTC).

So, that's what I'll have my config management system stuff into the final field whenever it adds an entry to the splunk password file.

0 Karma

New Member

So...any chance of an explanation of how to generate this field so I can put this file into our configuration management system?

It's rather...inelegant that each run of puppet--say--rewrites the passwd file, only to have splunk add the expiry digits back in when reloading.

I may just add ;1, see what happens, and report back for the curious.

A definitive answer from a splunker would be much appreciated, nevertheless.

0 Karma

New Member

Err...add 1, of course.

0 Karma