Splunk® Phantom (Legacy)

Administer Splunk Phantom

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Phantom (Legacy). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Reset the admin and root passwords in Splunk Phantom

You can reset the passwords for the following accounts to meet your organization's hardening requirements, or if you misplace or forget them:

  • The admin user for the Splunk Phantom web interface. This is a default account in Splunk Phantom that can't be deleted. It must always be available so that you can access Splunk Phantom in cases where other authentication methods such as LDAP fail. See Reset the admin password in Splunk Phantom.
  • The root user for the underlying CentOS Linux operating system. This account is required for maintenance tasks such as upgrades, and is also used to reset the admin password.

Reset the admin password in Splunk Phantom

To reset the admin user password, perform the following tasks:

  1. Log in to the operating system with your normal user account.
  2. Run the sudo su command to switch to the root user.
  3. Run the following commands: 
    export PYTHONPATH=/opt/phantom/lib/:/opt/phantom/www/
phenv python2.7 /opt/phantom/www/manage.py changepassword admin
  4. Enter a new password, then enter it again to confirm. Both passwords must match.
  5. To verify, access the Splunk Phantom web interface and log in as the admin user using the new password.

If the admin account has Duo two factor authentication enabled and is no longer working properly, perform the following steps to temporarily disable the two factor authentication:

  1. Run the following command as root: 
    phenv python2.7 /opt/phantom/bin/set_preference.pyc --disable-admin-2fa
  2. Confirm that you want to disable two factor authentication for the admin account.

Reset the root password in Splunk Phantom

To reset the root password in Splunk Phantom, perform the following tasks:

  1. Configure the virtual machine to boot from a CD.
  2. Mount the virtual machine root disk.
  3. Edit the password file.
  4. Mark the disk for re-labeling.
  5. Set a new password.

Configure the virtual machine to boot from a CD

Perform the following steps to configure the virtual machine (VM) to boot from a CD.

  1. Take a snapshot of the VM before performing this kind of recovery operation.
  2. Obtain a Linux boot CD ISO that has the LVM tools on it. This has been successfully tested with SystemRescueCd-x86-4.7.2.
  3. Configure the VM in your virtualization environment to boot from this ISO image.
  4. Once configured, reset the VM so that it reboots.
  5. Boot the VM from the CD image.

VMware products typically require that you press a key at the brief BIOS screen to make the VM boot from the CD rather than the virtual hard drive. This might take very careful timing. If you are unable to get it to boot from the CD image by manually pressing the button quickly enough, go to this VMware community page and search for "bios.bootDelay."

  1. Follow the prompts for your boot CD until you are able to get to a shell.

Mount the virtual machine root disk

When you have a root shell, perform the following tasks to mount the Splunk Phantom VM drive.

  1. Run the lvscan command to make sure you can see the LVM drives.
  2. Use the following command to mount the drive: 
    mount /dev/VolGroup/lv_root /mnt

If your boot CD doesn't have a /mnt directory for mounting, substitute an appropriate mount location.

Edit the password file

Perform the following tasks to edit the /etc/passwd file:

  1. Use a text editor to open the file. For example, to use vi type the following at the command line: 
    vi /mnt/etc/passwd
  2. Find the line for the root user, which looks like the following: 
    root:x:0:0:root:/root:/opt/phantom/bin/setup
  3. Remove the "x" between the first two colons, so it looks like the following: 
    root::0:0:root:/root:/opt/phantom/bin/setup
    The "x" normally tells the operating system to look in /etc/shadow for the password hash. Having it blank means root has no password at all.

Mark the disk for relabeling

Because the Splunk Phantom virtual machine uses SELinux, perform the following steps to mark the disk for relabeling:

  1. Run the following command to have Linux relabel the drives when they are booted: 
    touch /mnt/.autorelabel
  2. To make sure the changes are written out, unmount the disk and reboot: 
    umount /mnt
reboot

Set a new root password

To set a new root password, follow these steps:

  1. Login as root to the VM console. You will not be prompted for a password.
  2. When you are logged in, set a new root password immediately.
  3. After setting the password, log out and then log back in with the new password to verify that a password is correct.
Last modified on 24 February, 2020
PREVIOUS
Create custom CEF fields in Splunk Phantom 		  NEXT
Enable clickable URLs in CEF data

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters