Change the default password for the server management account to secure your installation.

The default account username is caspida and the default password is caspida123.

After you install Splunk UBA, change the password of the caspida account with the passwd command.

1. Log in to the Splunk UBA management server as the caspida user.
2. Change the password to a new one.
   passwd

Splunk UBA also includes a default admin account that you can use to log in to Splunk UBA. The default username for Splunk UBA is admin and the default password is changeme.

• To change the password of the admin account for Splunk UBA, see Change user profile settings in Splunk UBA in the Use Splunk User Behavior Analytics manual.
• To manage accounts and access to Splunk UBA, see Manage user accounts and account roles in Splunk UBA in the Administer Splunk User Behavior Analytics manual.

By default, the caspida user is given ALL access in /etc/sudoers during Splunk UBA installation and upgrade. Follow the procedures in this section if you want to restrict sudo access for the caspida user after Splunk UBA is installed or upgraded.

1. Use SSH to login as the caspida user to the management node of Splunk UBA.
2. Stop all services:

   /opt/caspida/bin/Caspida stop-all

3. On the Splunk UBA management node, login as root.
4. Save a copy of /opt/caspida/etc/sudoers.d/ubasudoers:

   cp -p /opt/caspida/etc/sudoers.d/ubasudoers /opt/caspida/etc/sudoers.d/ubasudoers.backup

5. Check to see if a ubasudoers file already exists in /etc/sudoers.d. If there is no existing file, or you want to overwrite the existing file, and don't mind overwriting previous customizations, go to step 6.
   1. If there is an existing ubasudoers file you want to merge, then merge any customizations from the /etc/sudoers.d/ubasudoers file to /opt/caspida/etc/sudoers.d/ubasudoers.
6. Run the following command as the root user:

   visudo -c -f /opt/caspida/etc/sudoers.d/ubasudoers

   The expected output is:

   /opt/caspida/etc/sudoers.d/ubasudoers: parsed OK
   1. If the file does not parse correctly do not proceed further; exit the root prompt and go to step 9 to start all services. Contact Splunk Support for assistance with fixing the ubasudoers file.
   2. If the file does parse correctly:
      1. Run the following commands:

         cp -f /opt/caspida/etc/sudoers.d/ubasudoers /etc/sudoers.d/ubasudoers
         chmod 440 /etc/sudoers.d/ubasudoers
         chown root:root /etc/sudoers.d/ubasudoers
         sed -i 's/service postgresql \*,/service postgresql\*,/g' /etc/sudoers.d/ubasudoers
         sed -i 's#/usr/bin/hdfs dfsadmin -report\*, \\#/usr/bin/hdfs dfsadmin *, \\#g' /etc/sudoers.d/ubasudoers
         sed -i 's#/usr/bin/hdfs fsck /, /bin/hdfs fsck /, \\#/usr/bin/hdfs fsck *, /bin/hdfs fsck *, \\#' /etc/sudoers.d/ubasudoers
         

      2. Remove the following line from the /etc/sudoers file, if it exists:
         caspida ALL=(ALL) NOPASSWD: ALL
      3. Remove the following line from the /etc/sudoers.d/ubasudoers file, if it exists:
         caspida ALL=(ALL) NOPASSWD: ALL
      4. Exit the root prompt.
7. Become the caspida user on the management node and perform a sync-cluster:

   /opt/caspida/bin/Caspida sync-cluster /opt/caspida/etc/sudoers.d/

8. Repeat step 6 on all Splunk UBA nodes before moving to next step.
9. Login to the Splunk UBA management node and start all services.

   /opt/caspida/bin/Caspida start-all

To enable the caspida user to have full sudo permissions on the system, perform the following on all nodes in the cluster:

1. Login as the root user.
2. Add the following line to the /etc/sudoers.d/ubasudoers file:

   caspida ALL=(ALL) NOPASSWD: ALL

3. Exit the root prompt.