Splunk Enterprise

Does Splunk auto update the etc/password file?

human96
Communicator

Hi, Splunkers,

I have a doubt. now currently using Splunk enterprise 8.2.5, today morning the etc/password file auto-updated and detected by a third party software ( confidential ).

I never changed the file, so my question is-- does Splunk auto-update the $SPLUNK_HOME/etc/password file?

please provide any Splunk documentation 

Labels (3)
0 Karma
1 Solution

VatsalJagani
SplunkTrust
SplunkTrust

* If you mean passwd file of Linux system (/etc/passwd) - No Splunk does not touch any file outside its the home directory.

* If you mean passwd file of Splunk ($SPLUNK_HOME/etc/passwd) - Splunk stores user information there so if you have done any modification regarding user or role or user-password on Splunk then Splunk might have updated the file.

View solution in original post

VatsalJagani
SplunkTrust
SplunkTrust

* If you mean passwd file of Linux system (/etc/passwd) - No Splunk does not touch any file outside its the home directory.

* If you mean passwd file of Splunk ($SPLUNK_HOME/etc/passwd) - Splunk stores user information there so if you have done any modification regarding user or role or user-password on Splunk then Splunk might have updated the file.

human96
Communicator

Thanks for the quick response

yes i meant $SPLUNK_HOME/etc/passwd

but recently i did not change any user information,  roles, password. 

but still the file automatically updated itself. 

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust
Can you please explain why Splunk updating its own file is a problem?
0 Karma

human96
Communicator

no, i'm not saying it's a problem. i just want to know.

does splunk very often update the password file ?

 

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

I know User changes (password, name, roles update) could trigger the file to update but not without any reason.

* Check with Splunk support if you think it is happening regularly and without any reason.

* Though I personally have not seen such a bug with any version of Splunk.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...