Security

Is an admin-user available by default on a Splunk Universal Forwarder (UF)?

hettervi
Builder

We're looking over our environment for potential safety flaws. One question that came up is whether an admin-user is available by default on Splunk Universal Forwarders (UF). I'm not thinking about the user the UF runs as on the OS, but an admin user on the application layer. Earlier Splunk Enterprise had a default admin password "changeme". Did this also apply for UFs? How can we make sure that there is no admin users on our UFs, or that if there is, that they have proper passwords? 

Labels (1)
Tags (3)
0 Karma
1 Solution

hettervi
Builder

I've done some digging in the documentation. For UFs on Windows it's specified that if you don't specify the "SPLUNKPASSWORD" and "SPLUNKUSERNAME" flags, the UF install without an admin user at all.

https://docs.splunk.com/Documentation/Forwarder/9.0.1/Forwarder/InstallaWindowsuniversalforwarderfro...

For potential older UFs with default credentials we've concluded that the easiest way to make sure these doesn't exist, is to delete all password files from all Windows UFs, deleting all users if any.

For Linux UFs the documentation doesn't specify what happens when you don't create an admin user on install, or if it's even possible to not create an admin user. We could assume it works the same way as for Windows UFs, but have to do some testing. I will comment this on the official documentation, so perhaps it's updated on next release.

https://docs.splunk.com/Documentation/Forwarder/9.0.1/Forwarder/Installanixuniversalforwarder

View solution in original post

0 Karma

hettervi
Builder

I've done some digging in the documentation. For UFs on Windows it's specified that if you don't specify the "SPLUNKPASSWORD" and "SPLUNKUSERNAME" flags, the UF install without an admin user at all.

https://docs.splunk.com/Documentation/Forwarder/9.0.1/Forwarder/InstallaWindowsuniversalforwarderfro...

For potential older UFs with default credentials we've concluded that the easiest way to make sure these doesn't exist, is to delete all password files from all Windows UFs, deleting all users if any.

For Linux UFs the documentation doesn't specify what happens when you don't create an admin user on install, or if it's even possible to not create an admin user. We could assume it works the same way as for Windows UFs, but have to do some testing. I will comment this on the official documentation, so perhaps it's updated on next release.

https://docs.splunk.com/Documentation/Forwarder/9.0.1/Forwarder/Installanixuniversalforwarder

0 Karma

gcusello
Esteemed Legend

Hi @hettervi,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

gcusello
Esteemed Legend

Hi @hettervi,

the admin user on Universal Forwarders is defined at the installation time and there isn't any default user (e.g. system/manager).

The admin user and password are asked by the installation setup.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...