Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk needs a shell?

daniel333
Builder
‎02-02-2021 02:39 PM

All, 

Just noticed when Splunk UF installs it creates a user "splunk" with a login shell /bin/bash in /etc/passwd. 

e.g.
splunk:1007:/bin/bash

Is that needed? Can I switch it to a nologin? Anyone familiar with the impact of doing that? 

0 Karma
Reply

edoardo_vicendo
Builder
‎09-22-2021 05:14 AM

As of today on a CentOS 6 server we tested to modify the shell for splunk user from /bin/bash to /sbin/nologin

On this server it is running the Splunk Universal Forwarder.

After having modified the /etc/passwd file and restarted the Splunk Universal Forwarder it is still working, as well as the scripts directly launched by it.

#to modify the shell
usermod -s /sbin/nologin splunk

#to restart the Universal Forwarder
/etc/init.d/splunk restart

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-22-2021 05:38 AM

Personally I prefer to do it just like this. Disable login for splunk user w/o no real shell. And I do the same for both UF and other servers (like indexers, SHs etc.). When it's needed to run something on this user then use just sudo with used shell.

r. Ismo

0 Karma
Reply

edoardo_vicendo
Builder
‎09-22-2021 06:50 AM

I think it depends on how you manage your environment. We applied this modification only on a subset of client machines (having UF installed) because the side effect is that you are not able anymore to do "su - splunk".

On a UF it could be acceptable, mainly because you deploy the apps with the Splunk Deployment Server, and because to restart the UF if needed you can leverage on init or systemd. 

On the other hand, if you are on a Splunk server (having Splunk Enterprise installed), it is usually necessary to become splunk user to modify configuration files, run CLI commands etc... Of course you can also manage it adding requested commands in sudoers file, but it could take time to define them all, and using wildcards on sudoers file it's not the best choice in term of security. This obviously applies unless you are not root on that machine 🙂

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-22-2021 11:47 AM
You could do sudo -u splunk /bin/bash to get shell and after that works (almost) like after su splunk (w/o - ).
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...