Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Security Concern: Does Splunk Need A Shell

imarks004
Path Finder
‎01-06-2011 07:20 PM

I was wondering if it is really necessary for the Splunk account to have a shell (/bin/bash)? I have set up a couple of test instances with the the splunk account set to nologin (/sbin/nologin) and have not noticed any impact. It is generally a best practice to not give a shell unless it is really needed and it would also be really nice to easily exclude this as a non-interactive account to our auditors. Does anyone know of a specific reason that a shell is required? I do not have any external scripts running on my test machines and that is the only reason I could think of for having a shell.

Tags (1)
Reply

tfpblanchard
Explorer
‎06-26-2014 02:26 PM

Actually the command enable boot-start -user splunk requires a valid shell for the splunk user (the splunk process attempts to run su).
A workaround is to run enable boot-start and then to add to the file $SPLUNK_HOME/etc/splunk-launch.conf (splunk forwarder 6.1.1)

SPLUNK_OS_USER=splunk

note: this may prevent some functions from the forwarder requiring su or a valid shell (I don't know splunk enough to judge), run at your own risk.

See also: http://installingcats.com/2013/07/30/splunk-account-currently-not-available-boot-start/

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎01-06-2011 10:55 PM

Generally it is the case that Splunk does not need a shell or terminal, that's right.

Reply

edoardo_vicendo
Contributor
‎09-22-2021 05:13 AM

Yes I confirm, as of today on a CentOS 6 server we tested to modify the shell for splunk user from /bin/bash to /sbin/nologin

On this server it is running the Splunk Universal Forwarder.

After having modified the /etc/passwd file and restarted the Splunk Universal Forwarder it is still working, as well as the scripts directly launched by it.

#to modify the shell
usermod -s /sbin/nologin splunk

#to restart the Universal Forwarder
/etc/init.d/splunk restart

 

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...