I've seen a few older posts on this, so I thought I might try and get a more recent answer.
There are situations in which you might want to run the Universal forwarder as root. Sensibly new versions of the uf remove the default password issue, but the existence of the Splunk management port running as root exposes the UF to the possibility of a remote and local privilege escalation, whether through poor password management by an admin or some undiscovered authentication flaw in the UF itself.
Disabling the management port altogether should remove that vector entirely.
There is a documented method in server.conf To save you looking it up here are the docs from 8.1.3
disableDefaultPort = <boolean> * If set to "true", turns off listening on the splunkd management port, which is 8089 by default. * NOTE: Changing this setting is not recommended. * This is the general communication path to splunkd. If it is disabled, there is no way to communicate with a running splunk instance. * This means many command line splunk invocations cannot function, Splunk Web cannot function, the REST interface cannot function, etc. * If you choose to disable the port anyway, understand that you are selecting reduced Splunk functionality. * Default: false
In my testing enabling it on an UF seems OK. Some CLI commands fail, notably anything that needs to authenticate.
My question is that other than most cli commands, will anything important to the UF break?
Please read the complete config information:
disableDefaultPort = <boolean> * If set to "true", turns off listening on the splunkd management port, which is 8089 by default. * On Universal Forwarders, when this value is "true" the value set for mgmtHostPort in web.conf will be ignored. Similarly, when set to "false", the value set for mgmtHostPort in web.conf will be used for binding management port. * NOTE: On Universal Forwarders, to reduce the risk of exploitation Splunk recommends the management port is disabled and local CLI is not used. If the management port is enabled, a valid TLS certification should be installed and the port should be bound to localhost. * NOTE: Changing this setting is not recommended on other Splunk instances. * This is the general communication path to splunkd. If it is disabled, there is no way to communicate with a running splunk instance. * This means many command line splunk invocations cannot function, Splunk Web cannot function, the REST interface cannot function, etc. * If you choose to disable the port anyway, understand that you are selecting reduced Splunk functionality. * Default: false
The older posts on this topic are still valid.