Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Security Concern: Does Splunk Need A Shell

imarks004
Path Finder
‎01-06-2011 07:20 PM

I was wondering if it is really necessary for the Splunk account to have a shell (/bin/bash)? I have set up a couple of test instances with the the splunk account set to nologin (/sbin/nologin) and have not noticed any impact. It is generally a best practice to not give a shell unless it is really needed and it would also be really nice to easily exclude this as a non-interactive account to our auditors. Does anyone know of a specific reason that a shell is required? I do not have any external scripts running on my test machines and that is the only reason I could think of for having a shell.

Tags (1)
Reply

tfpblanchard
Explorer
‎06-26-2014 02:26 PM

Actually the command enable boot-start -user splunk requires a valid shell for the splunk user (the splunk process attempts to run su).
A workaround is to run enable boot-start and then to add to the file $SPLUNK_HOME/etc/splunk-launch.conf (splunk forwarder 6.1.1)

SPLUNK_OS_USER=splunk

note: this may prevent some functions from the forwarder requiring su or a valid shell (I don't know splunk enough to judge), run at your own risk.

See also: http://installingcats.com/2013/07/30/splunk-account-currently-not-available-boot-start/

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎01-06-2011 10:55 PM

Generally it is the case that Splunk does not need a shell or terminal, that's right.

Reply

edoardo_vicendo
Contributor
‎09-22-2021 05:13 AM

Yes I confirm, as of today on a CentOS 6 server we tested to modify the shell for splunk user from /bin/bash to /sbin/nologin

On this server it is running the Splunk Universal Forwarder.

After having modified the /etc/passwd file and restarted the Splunk Universal Forwarder it is still working, as well as the scripts directly launched by it.

#to modify the shell
usermod -s /sbin/nologin splunk

#to restart the Universal Forwarder
/etc/init.d/splunk restart

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...