Splunk Password Policy of admin role

khyoung7410 · ‎03-12-2019

The content of Splunk password Policy.
-- authentication.conf --
[splunk_auth]
constantLoginTime = 0.000
enablePasswordHistory = 1
expireAlertDays = 15
expirePasswordDays = 90
expireUserAccounts = 1
forceWeakPasswordChange = 1
lockoutAttempts = 5
lockoutMins = 30
lockoutThresholdMins = 5
lockoutUsers = 1
minPasswordDigit = 0
minPasswordLength = 8
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordUppercase = 0
passwordHistoryCount = 24
verboseLoginFailMsg = 1

If users miss passwords more than five times, their accounts are locked.
However, if an account with the role admin has a password that is incorrect more than 10 times, the account will not be locked.
If an account with the admin role also fails to log in more than 5 times, how do I lock my account?

jhy · ‎03-13-2019

Splunk's password policy does not lockout to the admin role by default.
To do this, add the following settings to the authorize.conf file.

$ SPLUNK_HOME / system / local / authorize.conf
[role_admin]
never_lockout = disabled

nickhills · ‎03-13-2019

Are any of your users LDAP/SSO, or are they all using local Splunk authentication?

My understanding is that any local Splunk account will lock after 5 failed attempts (and will lock for 30 mins) even if that user has the admin role.
However that will not apply if the user is LDAP/SSO auth'd - then it is down to your LDAP/SSO environment to lock the account, not Splunk.

If my comment helps, please give it a thumbs up!

khyoung7410 · ‎03-13-2019

You can modify the autorize.conf file.
Edit /splunk/etc/system/local/authorize.conf
after splunk restart

[role_admin]
never_lockout = disabled

Splunk Password Policy of admin role

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector