Reset the admin and root passwords in Splunk Phantom
You can reset the passwords for the following accounts to meet your organization's hardening requirements, or if you misplace or forget them:
- The admin user for the Splunk Phantom web interface. This is a default account in Splunk Phantom that can't be deleted. It must always be available so that you can access Splunk Phantom in cases where other authentication methods such as LDAP fail. See Reset the admin password in Splunk Phantom.
- The root user for the underlying CentOS Linux operating system. This account is required for maintenance tasks such as upgrades, and is also used to reset the admin password.
Reset the admin password in Splunk Phantom
To reset the admin user password, perform the following tasks:
- Log in to the operating system with your normal user account.
- Run the
sudo sucommand to switch to the root user.
- Run the following commands:
export PYTHONPATH=/opt/phantom/lib/:/opt/phantom/www/ phenv python2.7 /opt/phantom/www/manage.py changepassword admin
- Enter a new password, then enter it again to confirm. Both passwords must match.
- To verify, access the Splunk Phantom web interface and log in as the admin user using the new password.
If the admin account has Duo two factor authentication enabled and is no longer working properly, perform the following steps to temporarily disable the two factor authentication:
- Run the following command as root:
phenv python2.7 /opt/phantom/bin/set_preference.pyc --disable-admin-2fa
- Confirm that you want to disable two factor authentication for the admin account.
Reset the root password in Splunk Phantom
To reset the root password in Splunk Phantom, perform the following tasks:
- Configure the virtual machine to boot from a CD.
- Mount the virtual machine root disk.
- Edit the password file.
- Mark the disk for re-labeling.
- Set a new password.
Configure the virtual machine to boot from a CD
Perform the following steps to configure the virtual machine (VM) to boot from a CD.
- Take a snapshot of the VM before performing this kind of recovery operation.
- Obtain a Linux boot CD ISO that has the LVM tools on it. This has been successfully tested with SystemRescueCd-x86-4.7.2.
- Configure the VM in your virtualization environment to boot from this ISO image.
- Once configured, reset the VM so that it reboots.
- Boot the VM from the CD image.
VMware products typically require that you press a key at the brief BIOS screen to make the VM boot from the CD rather than the virtual hard drive. This might take very careful timing. If you are unable to get it to boot from the CD image by manually pressing the button quickly enough, go to this VMware community page and search for "bios.bootDelay."
- Follow the prompts for your boot CD until you are able to get to a shell.
Mount the virtual machine root disk
When you have a root shell, perform the following tasks to mount the Splunk Phantom VM drive.
- Run the
lvscancommand to make sure you can see the LVM drives.
- Use the following command to mount the drive:
mount /dev/VolGroup/lv_root /mnt
If your boot CD doesn't have a
/mnt directory for mounting, substitute an appropriate mount location.
Edit the password file
Perform the following tasks to edit the
- Use a text editor to open the file. For example, to use vi type the following at the command line:
- Find the line for the root user, which looks like the following:
- Remove the "x" between the first two colons, so it looks like the following:
root::0:0:root:/root:/opt/phantom/bin/setupThe "x" normally tells the operating system to look in
/etc/shadowfor the password hash. Having it blank means root has no password at all.
Mark the disk for relabeling
Because the Splunk Phantom virtual machine uses SELinux, perform the following steps to mark the disk for relabeling:
- Run the following command to have Linux relabel the drives when they are booted:
- To make sure the changes are written out, unmount the disk and reboot:
umount /mnt reboot
Set a new root password
To set a new root password, follow these steps:
- Login as root to the VM console. You will not be prompted for a password.
- When you are logged in, set a new root password immediately.
- After setting the password, log out and then log back in with the new password to verify that a password is correct.
Create custom CEF fields in Splunk Phantom
Enable clickable URLs in CEF data
This documentation applies to the following versions of Splunk® Phantom: 4.8