Security

Need a list of all the locations of hashed password based on splunk.secret

the_wolverine
Champion

Is there a list of all possible instances of hashed passwords in Splunk that are based on the splunk.secret? I'm investigating what the effort is to get our splunk.secret in sync for existing servers that don't have matching splunk.secret.

0 Karma

the_wolverine
Champion
# grep -ri \$1\$. *

dflodstrom
Builder

care to expand on this?

0 Karma

woodcock
Esteemed Legend

This command (after you do cd $SPLUNK_HOME) will show you any file which contains a splunk-encrypted password (and a whole bunch of other binary files, *.js files and other irrelevant junk). The (properly filtered output) will show you which files WILL BREAK when you change the secret file. You then go figure out how to re-input the password for those "things". For example, many people use LDAP for authentication to get into Splunk search heads. This means that the Search Head stored credentials to access AD. This password is encrypted with the secret and stored in $SPLUNK_HOME/etc/system/local/authentication.conf as bindDNpassword. If this is the case for you, then this file will be identified by the grep command.

dflodstrom
Builder

I was looking for an explanation of the regex but your explanation of the issue is spot on. Still very useful for anyone stumbling upon this answer.

0 Karma

woodcock
Esteemed Legend

Also, please contact me (email is in my profile) and let me know how your research turned out (I am trying to do the same thing: sync splunk.secret on production system already up and running).

0 Karma

dflodstrom
Builder

I was able to accomplish this with little-to-no issues but I also wasn't doing it on a system with lots of additional hashed values.

0 Karma

woodcock
Esteemed Legend

I think that you should click Accept to close the question since the answer is a good (if terse) one.

0 Karma

dflodstrom
Builder

Ain't my question otherwise I would.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...