Splunk Enterprise

Does Splunk auto update the etc/password file?

human96
Communicator

Hi, Splunkers,

I have a doubt. now currently using Splunk enterprise 8.2.5, today morning the etc/password file auto-updated and detected by a third party software ( confidential ).

I never changed the file, so my question is-- does Splunk auto-update the $SPLUNK_HOME/etc/password file?

please provide any Splunk documentation 

Labels (3)
0 Karma
1 Solution

VatsalJagani
SplunkTrust
SplunkTrust

* If you mean passwd file of Linux system (/etc/passwd) - No Splunk does not touch any file outside its the home directory.

* If you mean passwd file of Splunk ($SPLUNK_HOME/etc/passwd) - Splunk stores user information there so if you have done any modification regarding user or role or user-password on Splunk then Splunk might have updated the file.

View solution in original post

VatsalJagani
SplunkTrust
SplunkTrust

* If you mean passwd file of Linux system (/etc/passwd) - No Splunk does not touch any file outside its the home directory.

* If you mean passwd file of Splunk ($SPLUNK_HOME/etc/passwd) - Splunk stores user information there so if you have done any modification regarding user or role or user-password on Splunk then Splunk might have updated the file.

human96
Communicator

Thanks for the quick response

yes i meant $SPLUNK_HOME/etc/passwd

but recently i did not change any user information,  roles, password. 

but still the file automatically updated itself. 

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust
Can you please explain why Splunk updating its own file is a problem?
0 Karma

human96
Communicator

no, i'm not saying it's a problem. i just want to know.

does splunk very often update the password file ?

 

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

I know User changes (password, name, roles update) could trigger the file to update but not without any reason.

* Check with Splunk support if you think it is happening regularly and without any reason.

* Though I personally have not seen such a bug with any version of Splunk.

0 Karma
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...