All,
I've noticed by default that Splunk Forwarder gives itself /bin/bash in /etc/passwd.
e.g.
splunk:x:1001:1001:Splunk Server:/opt/splunkforwarder:/bin/bash
I changed it to the below and restarted:
splunk:x:1001:1001:Splunk Server:/opt/splunkforwarder:/sbin/nologin
Best I can tell there was no impact. Scripted inputs are working as it the monitor stanza's.
Is there any reason I should leave Splunk user with a Shell?
thanks!
Hi @danielteachesit,
the splunk user, assigned as owner to Splunk Universal Forwarders, doesn't need the Linux shell.
I usually disable it in my production installation.
Ciao.
Giuseppe
You should also lock splunk user not only set shell to nologin. If/when need to use e.g. btool to check what those configurations are, just use "sudo -usplunk bash" command to get shell.
There is no need for the Splunk account to have a shell assigned to it.