https://community.splunk.com/t5/Security/Does-Splunk-Forwarder-need-an-interactive-login/m-p/603476#M16187 <P>All,&nbsp;</P><P>I've noticed by default that Splunk Forwarder gives itself /bin/bash&nbsp; in /etc/passwd.&nbsp;</P><P>e.g.</P><PRE>splunk:x:1001:1001:Splunk Server:/opt/splunkforwarder:/bin/bash</PRE><P>I changed it to the below and restarted:</P><PRE>splunk:x:1001:1001:Splunk Server:/opt/splunkforwarder:/sbin/nologin</PRE><P>Best I can tell there was no impact. Scripted inputs are working as it the monitor stanza's.&nbsp;</P><P>Is there any reason I should leave Splunk user with a Shell?&nbsp;</P><P>&nbsp;</P><P>thanks!</P> Mon, 27 Jun 2022 23:28:31 GMT danielteachesit 2022-06-27T23:28:31Z https://community.splunk.com/t5/Security/Does-Splunk-Forwarder-need-an-interactive-login/m-p/603476#M16187 <P>All,&nbsp;</P><P>I've noticed by default that Splunk Forwarder gives itself /bin/bash&nbsp; in /etc/passwd.&nbsp;</P><P>e.g.</P><PRE>splunk:x:1001:1001:Splunk Server:/opt/splunkforwarder:/bin/bash</PRE><P>I changed it to the below and restarted:</P><PRE>splunk:x:1001:1001:Splunk Server:/opt/splunkforwarder:/sbin/nologin</PRE><P>Best I can tell there was no impact. Scripted inputs are working as it the monitor stanza's.&nbsp;</P><P>Is there any reason I should leave Splunk user with a Shell?&nbsp;</P><P>&nbsp;</P><P>thanks!</P> Mon, 27 Jun 2022 23:28:31 GMT https://community.splunk.com/t5/Security/Does-Splunk-Forwarder-need-an-interactive-login/m-p/603476#M16187 danielteachesit 2022-06-27T23:28:31Z https://community.splunk.com/t5/Security/Does-Splunk-Forwarder-need-an-interactive-login/m-p/603481#M16188 <P>There is no need for the Splunk account to have a shell assigned to it.</P> Tue, 28 Jun 2022 00:12:05 GMT https://community.splunk.com/t5/Security/Does-Splunk-Forwarder-need-an-interactive-login/m-p/603481#M16188 richgalloway 2022-06-28T00:12:05Z https://community.splunk.com/t5/Security/Does-Splunk-Forwarder-need-an-interactive-login/m-p/603504#M16189 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/247240">@danielteachesit</a>,</P><P>the splunk user, assigned as owner to Splunk Universal Forwarders, doesn't need the Linux shell.</P><P>I usually disable it in my production installation.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 28 Jun 2022 06:15:12 GMT https://community.splunk.com/t5/Security/Does-Splunk-Forwarder-need-an-interactive-login/m-p/603504#M16189 gcusello 2022-06-28T06:15:12Z https://community.splunk.com/t5/Security/Does-Splunk-Forwarder-need-an-interactive-login/m-p/603582#M16190 <P>You should also lock splunk user not only set shell to nologin. If/when need to use e.g. btool to check what those configurations are, just use "sudo -usplunk bash" command to get shell.</P> Tue, 28 Jun 2022 12:03:45 GMT https://community.splunk.com/t5/Security/Does-Splunk-Forwarder-need-an-interactive-login/m-p/603582#M16190 isoutamo 2022-06-28T12:03:45Z