I've noticed by default that Splunk Forwarder gives itself /bin/bash in /etc/passwd.
I changed it to the below and restarted:
Best I can tell there was no impact. Scripted inputs are working as it the monitor stanza's.
Is there any reason I should leave Splunk user with a Shell?
the splunk user, assigned as owner to Splunk Universal Forwarders, doesn't need the Linux shell.
I usually disable it in my production installation.
You should also lock splunk user not only set shell to nologin. If/when need to use e.g. btool to check what those configurations are, just use "sudo -usplunk bash" command to get shell.
There is no need for the Splunk account to have a shell assigned to it.