Splunk Admin Password

ID

splunk_admin_password

Severity

critical

Vendor

Splunk

Family

Password

Description

Splunk (now part of Cisco) provides data analysis software. This detector detects any leaked admin password for Splunk Enterprise.

When you install Splunk Enterprise, you must create a username and password for the administrator account. Your Splunk Enterprise instance is not accessible without this account.

Security

Any hardcoded Splunk Admin Password is a potential secret reported by this detector. This password allows, along with the username (which is stored in the same file or could be easily guessed), full control over the Splunk Enterprise instance.

Examples

[user_info]
USERNAME = admin
PASSWORD = P4ssw0rt!

Mitigation / Fix

  1. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). The Splunk Admin Password can be reset using the following command:

    splunk cmd splunkd rest --noauth POST /services/admin/users/admin "password=<your password>"

    Follow the recommendations given in the Reset credentials section of the Splunk documentation.

  2. Remove the Splunk Admin Password from the source code or committed configuration file. Note that resetting the password is necessary, as this step does not prevent unintended users from using previously captured credentials.

  3. Check Splunk access logs to ensure that the secret was not used by unintended actors during the exposure window.

  4. To limit the attack surface, you may restrict access to the Splunk Enterprise instance, as described in the Secure Splunk Enterprise on your network.

Reference

https://docs.splunk.com/Documentation/Splunk/latest/Security/Secureyouradminaccount