Security

Does Splunk Forwarder need an interactive login?

danielteachesit
New Member

All, 

I've noticed by default that Splunk Forwarder gives itself /bin/bash  in /etc/passwd. 

e.g.

splunk:x:1001:1001:Splunk Server:/opt/splunkforwarder:/bin/bash

I changed it to the below and restarted:

splunk:x:1001:1001:Splunk Server:/opt/splunkforwarder:/sbin/nologin

Best I can tell there was no impact. Scripted inputs are working as it the monitor stanza's. 

Is there any reason I should leave Splunk user with a Shell? 

 

thanks!

Labels (1)
0 Karma

gcusello
Esteemed Legend

Hi @danielteachesit,

the splunk user, assigned as owner to Splunk Universal Forwarders, doesn't need the Linux shell.

I usually disable it in my production installation.

Ciao.

Giuseppe

0 Karma

isoutamo
SplunkTrust
SplunkTrust

You should also lock splunk user not only set shell to nologin. If/when need to use e.g. btool to check what those configurations are, just use "sudo -usplunk bash" command to get shell.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There is no need for the Splunk account to have a shell assigned to it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...