Security

Does Splunk Forwarder need an interactive login?

danielteachesit
New Member

All, 

I've noticed by default that Splunk Forwarder gives itself /bin/bash  in /etc/passwd. 

e.g.

splunk:x:1001:1001:Splunk Server:/opt/splunkforwarder:/bin/bash

I changed it to the below and restarted:

splunk:x:1001:1001:Splunk Server:/opt/splunkforwarder:/sbin/nologin

Best I can tell there was no impact. Scripted inputs are working as it the monitor stanza's. 

Is there any reason I should leave Splunk user with a Shell? 

 

thanks!

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @danielteachesit,

the splunk user, assigned as owner to Splunk Universal Forwarders, doesn't need the Linux shell.

I usually disable it in my production installation.

Ciao.

Giuseppe

0 Karma

isoutamo
SplunkTrust
SplunkTrust

You should also lock splunk user not only set shell to nologin. If/when need to use e.g. btool to check what those configurations are, just use "sudo -usplunk bash" command to get shell.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There is no need for the Splunk account to have a shell assigned to it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...