Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Security Concern: Does Splunk Need A Shell

imarks004
Path Finder
‎01-06-2011 07:20 PM

I was wondering if it is really necessary for the Splunk account to have a shell (/bin/bash)? I have set up a couple of test instances with the the splunk account set to nologin (/sbin/nologin) and have not noticed any impact. It is generally a best practice to not give a shell unless it is really needed and it would also be really nice to easily exclude this as a non-interactive account to our auditors. Does anyone know of a specific reason that a shell is required? I do not have any external scripts running on my test machines and that is the only reason I could think of for having a shell.

Tags (1)
Reply

tfpblanchard
Explorer
‎06-26-2014 02:26 PM

Actually the command enable boot-start -user splunk requires a valid shell for the splunk user (the splunk process attempts to run su).
A workaround is to run enable boot-start and then to add to the file $SPLUNK_HOME/etc/splunk-launch.conf (splunk forwarder 6.1.1)

SPLUNK_OS_USER=splunk

note: this may prevent some functions from the forwarder requiring su or a valid shell (I don't know splunk enough to judge), run at your own risk.

See also: http://installingcats.com/2013/07/30/splunk-account-currently-not-available-boot-start/

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎01-06-2011 10:55 PM

Generally it is the case that Splunk does not need a shell or terminal, that's right.

Reply

edoardo_vicendo
Builder
‎09-22-2021 05:13 AM

Yes I confirm, as of today on a CentOS 6 server we tested to modify the shell for splunk user from /bin/bash to /sbin/nologin

On this server it is running the Splunk Universal Forwarder.

After having modified the /etc/passwd file and restarted the Splunk Universal Forwarder it is still working, as well as the scripts directly launched by it.

#to modify the shell
usermod -s /sbin/nologin splunk

#to restart the Universal Forwarder
/etc/init.d/splunk restart

 

0 Karma
Reply
Get Updates on the Splunk Community!

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...

New Year. New Skills. New Course Releases from Splunk Education

A new year often inspires reflection—and reinvention. Whether your goals include strengthening your security ...

Splunk and TLS: It doesn't have to be too hard

Overview Creating a TLS cert for Splunk usage is pretty much standard openssl.  To make life better, use an ...