Security

Why is a number getting appended to each line when making changes to password file in Splunk 7?

splunkIT
Splunk Employee
Splunk Employee

We’ve started testing Splunk 7 and I noticed that when I make changes to the splunk/etc/passwd file and restart splunkd, a number is getting appended to the line each time. ie.

:admin:$6$J5am*::Administrator:admin:changeme@example.com::

becomes

:admin:$6$J5am*::Administrator:admin:changeme@example.com::17954

Where is that number coming from?

0 Karma
1 Solution

svishnevskaya_s
Splunk Employee
Splunk Employee

That number 17954 is actually an internal timestamp we use for the password creation date so it’s automatically generated.
It’s used for triggering password expiration if that option is enabled by going to Settings > Access Controls > Password Policy Management > Expiration.

View solution in original post

chris_jepeway
New Member

Ahoy, @svishnevskaya_splunk! Sure could use an understanding of how the expiry number is generated. I'd like to incorporate it into some Puppet modules I'm building for our new splunk> cluster.

0 Karma

chris_jepeway
New Member

@svishnevskaya_splunk Can you explain how the number is generated? I'd like to replicate it so splunk and my configuration management system aren't fighting each other.

0 Karma

svishnevskaya_s
Splunk Employee
Splunk Employee

That number 17954 is actually an internal timestamp we use for the password creation date so it’s automatically generated.
It’s used for triggering password expiration if that option is enabled by going to Settings > Access Controls > Password Policy Management > Expiration.

chris_jepeway
New Member

So, today's number is 17998.

That's the number of days since the Unix Epoch (1 Jan 1970 00:00:00 UTC).

So, that's what I'll have my config management system stuff into the final field whenever it adds an entry to the splunk password file.

0 Karma

chris_jepeway
New Member

So...any chance of an explanation of how to generate this field so I can put this file into our configuration management system?

It's rather...inelegant that each run of puppet--say--rewrites the passwd file, only to have splunk add the expiry digits back in when reloading.

I may just add ;1, see what happens, and report back for the curious.

A definitive answer from a splunker would be much appreciated, nevertheless.

0 Karma

chris_jepeway
New Member

Err...add 1, of course.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...