Does Splunk Forwarder need an interactive login?

danielteachesit · ‎06-27-2022

All,

I've noticed by default that Splunk Forwarder gives itself /bin/bash in /etc/passwd.

e.g.

splunk:x:1001:1001:Splunk Server:/opt/splunkforwarder:/bin/bash

I changed it to the below and restarted:

splunk:x:1001:1001:Splunk Server:/opt/splunkforwarder:/sbin/nologin

Best I can tell there was no impact. Scripted inputs are working as it the monitor stanza's.

Is there any reason I should leave Splunk user with a Shell?

thanks!

gcusello · ‎06-27-2022

Hi @danielteachesit,

the splunk user, assigned as owner to Splunk Universal Forwarders, doesn't need the Linux shell.

I usually disable it in my production installation.

Ciao.

Giuseppe

isoutamo · ‎06-28-2022

You should also lock splunk user not only set shell to nologin. If/when need to use e.g. btool to check what those configurations are, just use "sudo -usplunk bash" command to get shell.

richgalloway · ‎06-27-2022

There is no need for the Splunk account to have a shell assigned to it.

---
If this reply helps you, Karma would be appreciated.

Does Splunk Forwarder need an interactive login?

access control

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform