Re: Does Splunk Forwarder need an interactive logi...

danielteachesit · ‎06-27-2022

All,

I've noticed by default that Splunk Forwarder gives itself /bin/bash in /etc/passwd.

e.g.

splunk:x:1001:1001:Splunk Server:/opt/splunkforwarder:/bin/bash

I changed it to the below and restarted:

splunk:x:1001:1001:Splunk Server:/opt/splunkforwarder:/sbin/nologin

Best I can tell there was no impact. Scripted inputs are working as it the monitor stanza's.

Is there any reason I should leave Splunk user with a Shell?

thanks!

gcusello · ‎06-27-2022

Hi @danielteachesit,

the splunk user, assigned as owner to Splunk Universal Forwarders, doesn't need the Linux shell.

I usually disable it in my production installation.

Ciao.

Giuseppe

isoutamo · ‎06-28-2022

You should also lock splunk user not only set shell to nologin. If/when need to use e.g. btool to check what those configurations are, just use "sudo -usplunk bash" command to get shell.

richgalloway · ‎06-27-2022

There is no need for the Splunk account to have a shell assigned to it.

---
If this reply helps you, Karma would be appreciated.

Does Splunk Forwarder need an interactive login?

access control

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms