I've noticed by default that Splunk Forwarder gives itself /bin/bash in /etc/passwd.
I changed it to the below and restarted:
Best I can tell there was no impact. Scripted inputs are working as it the monitor stanza's.
Is there any reason I should leave Splunk user with a Shell?
You should also lock splunk user not only set shell to nologin. If/when need to use e.g. btool to check what those configurations are, just use "sudo -usplunk bash" command to get shell.