Security

Why is a number getting appended to each line when making changes to password file in Splunk 7?

splunkIT
Splunk Employee
Splunk Employee

We’ve started testing Splunk 7 and I noticed that when I make changes to the splunk/etc/passwd file and restart splunkd, a number is getting appended to the line each time. ie.

:admin:$6$J5am*::Administrator:admin:changeme@example.com::

becomes

:admin:$6$J5am*::Administrator:admin:changeme@example.com::17954

Where is that number coming from?

0 Karma
1 Solution

svishnevskaya_s
Splunk Employee
Splunk Employee

That number 17954 is actually an internal timestamp we use for the password creation date so it’s automatically generated.
It’s used for triggering password expiration if that option is enabled by going to Settings > Access Controls > Password Policy Management > Expiration.

View solution in original post

chris_jepeway
New Member

Ahoy, @svishnevskaya_splunk! Sure could use an understanding of how the expiry number is generated. I'd like to incorporate it into some Puppet modules I'm building for our new splunk> cluster.

0 Karma

chris_jepeway
New Member

@svishnevskaya_splunk Can you explain how the number is generated? I'd like to replicate it so splunk and my configuration management system aren't fighting each other.

0 Karma

svishnevskaya_s
Splunk Employee
Splunk Employee

That number 17954 is actually an internal timestamp we use for the password creation date so it’s automatically generated.
It’s used for triggering password expiration if that option is enabled by going to Settings > Access Controls > Password Policy Management > Expiration.

chris_jepeway
New Member

So, today's number is 17998.

That's the number of days since the Unix Epoch (1 Jan 1970 00:00:00 UTC).

So, that's what I'll have my config management system stuff into the final field whenever it adds an entry to the splunk password file.

0 Karma

chris_jepeway
New Member

So...any chance of an explanation of how to generate this field so I can put this file into our configuration management system?

It's rather...inelegant that each run of puppet--say--rewrites the passwd file, only to have splunk add the expiry digits back in when reloading.

I may just add ;1, see what happens, and report back for the curious.

A definitive answer from a splunker would be much appreciated, nevertheless.

0 Karma

chris_jepeway
New Member

Err...add 1, of course.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...