Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Security Concern: Does Splunk Need A Shell

imarks004
Path Finder
‎01-06-2011 07:20 PM

I was wondering if it is really necessary for the Splunk account to have a shell (/bin/bash)? I have set up a couple of test instances with the the splunk account set to nologin (/sbin/nologin) and have not noticed any impact. It is generally a best practice to not give a shell unless it is really needed and it would also be really nice to easily exclude this as a non-interactive account to our auditors. Does anyone know of a specific reason that a shell is required? I do not have any external scripts running on my test machines and that is the only reason I could think of for having a shell.

Tags (1)
Reply

tfpblanchard
Explorer
‎06-26-2014 02:26 PM

Actually the command enable boot-start -user splunk requires a valid shell for the splunk user (the splunk process attempts to run su).
A workaround is to run enable boot-start and then to add to the file $SPLUNK_HOME/etc/splunk-launch.conf (splunk forwarder 6.1.1)

SPLUNK_OS_USER=splunk

note: this may prevent some functions from the forwarder requiring su or a valid shell (I don't know splunk enough to judge), run at your own risk.

See also: http://installingcats.com/2013/07/30/splunk-account-currently-not-available-boot-start/

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎01-06-2011 10:55 PM

Generally it is the case that Splunk does not need a shell or terminal, that's right.

Reply

edoardo_vicendo
Contributor
‎09-22-2021 05:13 AM

Yes I confirm, as of today on a CentOS 6 server we tested to modify the shell for splunk user from /bin/bash to /sbin/nologin

On this server it is running the Splunk Universal Forwarder.

After having modified the /etc/passwd file and restarted the Splunk Universal Forwarder it is still working, as well as the scripts directly launched by it.

#to modify the shell
usermod -s /sbin/nologin splunk

#to restart the Universal Forwarder
/etc/init.d/splunk restart

 

0 Karma
Reply
Get Updates on the Splunk Community!

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...

Introduction to Splunk AI

WATCH NOWHow are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. ...