I was wondering if it is really necessary for the Splunk account to have a shell (/bin/bash)? I have set up a couple of test instances with the the splunk account set to nologin (/sbin/nologin) and have not noticed any impact. It is generally a best practice to not give a shell unless it is really needed and it would also be really nice to easily exclude this as a non-interactive account to our auditors. Does anyone know of a specific reason that a shell is required? I do not have any external scripts running on my test machines and that is the only reason I could think of for having a shell.
Actually the command
enable boot-start -user splunk requires a valid shell for the splunk user (the splunk process attempts to run
A workaround is to run
enable boot-start and then to add to the file
$SPLUNK_HOME/etc/splunk-launch.conf (splunk forwarder 6.1.1)
note: this may prevent some functions from the forwarder requiring
su or a valid shell (I don't know splunk enough to judge), run at your own risk.
Yes I confirm, as of today on a CentOS 6 server we tested to modify the shell for splunk user from /bin/bash to /sbin/nologin
On this server it is running the Splunk Universal Forwarder.
After having modified the /etc/passwd file and restarted the Splunk Universal Forwarder it is still working, as well as the scripts directly launched by it.
#to modify the shell usermod -s /sbin/nologin splunk #to restart the Universal Forwarder /etc/init.d/splunk restart