Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Does Splunk Forwarder need an interactive login?

danielteachesit
New Member
‎06-27-2022 04:28 PM

All, 

I've noticed by default that Splunk Forwarder gives itself /bin/bash  in /etc/passwd. 

e.g.

splunk:x:1001:1001:Splunk Server:/opt/splunkforwarder:/bin/bash

I changed it to the below and restarted:

splunk:x:1001:1001:Splunk Server:/opt/splunkforwarder:/sbin/nologin

Best I can tell there was no impact. Scripted inputs are working as it the monitor stanza's. 

Is there any reason I should leave Splunk user with a Shell? 

 

thanks!

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-27-2022 11:15 PM

Hi @danielteachesit,

the splunk user, assigned as owner to Splunk Universal Forwarders, doesn't need the Linux shell.

I usually disable it in my production installation.

Ciao.

Giuseppe

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-28-2022 05:03 AM

You should also lock splunk user not only set shell to nologin. If/when need to use e.g. btool to check what those configurations are, just use "sudo -usplunk bash" command to get shell.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-27-2022 05:12 PM

There is no need for the Splunk account to have a shell assigned to it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...