Splunk® Phantom (Legacy)

Administer Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Secure by configuring an account password expiration

A common security practice is to set a user account password expiration after a specific period of time, such as every 90 days. does not provide the ability to configure an account password expiration. As a system administrator, you need to define, implement, and administer password expiration policies in accordance with your organization's requirements.

Take note of the following if you configure password expiration policies in your environment:

  • Do not configure a password expiration for the root account. This can cause issues such as the crond daemon stopping, logrotate failing to trim logs, data ingestion pausing, or services failing to restart.
  • Do not configure a password expiration in AWS environments. By default, AWS instances use key pairs for authentication. If a user account expires, the account is blocked from accessing the AMI unless the user has configured an account password and can provide it when prompted. Key pair authentication doesn't work for expired accounts.

To reset a user's account expiration date, shut down the AWS instance and update user data through the AWS console. For example, to set an account expiration date of January 1, 2023:

# cloud-boothook
# !/ bin / bash
# chage -E "Jan 1, 2038" user

Specify a date in the future but before Jan 19, 2038. The latest time that can be represented in Unix's signed 32-bit integer time format is 03:14:07 UTC on Tuesday, 19 January 2038.

You can configure the user account to never expire:

# chage -m 0 user
# chage -M 99999 user
# chage -l user
Last password change    : Dec 10, 2016
Password expires    : never
Password inactive   : never
Account expires : never
Minimum number of days between password change  : 0
Maximum number of days between password change  : 99999
Number of days of warning before password expires   : 7
Last modified on 07 September, 2021
Configure role based access control inside Splunk Phantom apps   Enable or disable registered mobile devices

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters