Secure the default account after installing Splunk UBA
Use the caspida user account to manage and administer your Splunk UBA deployment. Perform the following tasks after installing Splunk UBA:
- Change the default password for this account.
- Limit the
sudo
access for this account.
Change the default password for the caspida account
Change the default password for the server management account to secure your installation.
The default account username is caspida
and the default password is caspida123
.
After you install Splunk UBA, change the password of the caspida account with the passwd
command.
- Log in to the Splunk UBA management server as the caspida user.
- Change the password to a new one.
passwd
Change the default password to log in to Splunk UBA
Splunk UBA also includes a default admin account that you can use to log in to Splunk UBA. The default username for Splunk UBA is admin
and the default password is changeme
.
- To change the password of the admin account for Splunk UBA, see Change user profile settings in Splunk UBA.
- To manage accounts and access to Splunk UBA, see Manage user accounts and account roles in Splunk UBA.
Restrict sudo access for the caspida account
By default, the caspida user is given ALL access in /etc/sudoers
during Splunk UBA installation and upgrade. Follow the procedures in this section if you want to restrict sudo
access for the caspida user after Splunk UBA is installed or upgraded.
Make sure to set the root password before enabling restricted sudo
access.
- Use SSH to login as the caspida user to the management node of Splunk UBA.
- Stop all services.
/opt/caspida/bin/Caspida stop-all
- Repeat steps 1 and 2 on each node in the Splunk UBA cluster.
- On the Splunk UBA management node, login as root.
- Check to see if a
ubasudoers
file already exists in/etc/sudoers.d
. If there is no existing file, skip to step 6. If there is an existingubasudoers
file:- Save a copy of
/opt/caspida/etc/sudoers.d/ubasudoers
. - Merge any customizations from the
/etc/sudoers.d/ubasudoers
file to/opt/caspida/etc/sudoers.d/ubasudoers
.
- Save a copy of
- Modify the
/opt/caspida/etc/sudoers.d/ubasudoers
file by running the following commands as the caspida user:sed -i '120i\ /usr/sbin/service cri-docker *, \\' /opt/caspida/etc/sudoers.d/ubasudoers sed -i '130i\ /sbin/service cri-docker *, \\' /opt/caspida/etc/sudoers.d/ubasudoers sed -i '135i\ /bin/systemctl start kubelet.service, /usr/bin/systemctl start kubelet.service, \\' /opt/caspida/etc/sudoers.d/ubasudoers sed -i '135i\ /bin/systemctl restart kubelet.service, /usr/bin/systemctl restart kubelet.service, \\' /opt/caspida/etc/sudoers.d/ubasudoers sed -i '135i\ /bin/systemctl start docker.service, /usr/bin/systemctl start docker.service, \\' /opt/caspida/etc/sudoers.d/ubasudoers sed -i '135i\ /bin/systemctl restart docker.service, /usr/bin/systemctl restart docker.service, \\' /opt/caspida/etc/sudoers.d/ubasudoers /opt/caspida/bin/Caspida sync-cluster /opt/caspida
- Run the following command as root:
visudo -c -f /opt/caspida/etc/sudoers.d/ubasudoers
The expected output is:
/opt/caspida/etc/sudoers.d/ubasudoers: parsed OK
- If the file does not parse correctly do not proceed further; exit the root prompt and go to step 8 to start all services. Contact Splunk Support for assistance with fixing the
ubasudoers
file. - If the file does parse correctly:
- Run the following commands:
cp -f /opt/caspida/etc/sudoers.d/ubasudoers /etc/sudoers.d/ubasudoers chmod 440 /etc/sudoers.d/ubasudoers chown root:root /etc/sudoers.d/ubasudoers
- Remove the following line from the
/etc/sudoers
file, if it exists:
caspida ALL=(ALL) NOPASSWD: ALL
- Remove the following line from the
/etc/sudoers.d/ubasudoers
file, if it exists:
caspida ALL=(ALL) NOPASSWD: ALL
- Exit the
root
prompt.
- Run the following commands:
- If the file does not parse correctly do not proceed further; exit the root prompt and go to step 8 to start all services. Contact Splunk Support for assistance with fixing the
- Repeat steps 4-7 on all Splunk UBA nodes.
- Login to the Splunk UBA management node and start all services.
/opt/caspida/bin/Caspida start-all
Enable ALL sudo access for the caspida account
To enable the caspida user to have full sudo
permissions on the system, perform the following on all nodes in the cluster:
- Login as the root user.
- Add the following line to the
/etc/sudoers.d/ubasudoers
file:caspida ALL=(ALL) NOPASSWD: ALL
- Exit the root prompt.
Verify successful installation | Upgrade Splunk UBA prerequisites and overview |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1
Feedback submitted, thanks!