Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Security Concern: Does Splunk Need A Shell

imarks004
Path Finder
‎01-06-2011 07:20 PM

I was wondering if it is really necessary for the Splunk account to have a shell (/bin/bash)? I have set up a couple of test instances with the the splunk account set to nologin (/sbin/nologin) and have not noticed any impact. It is generally a best practice to not give a shell unless it is really needed and it would also be really nice to easily exclude this as a non-interactive account to our auditors. Does anyone know of a specific reason that a shell is required? I do not have any external scripts running on my test machines and that is the only reason I could think of for having a shell.

Tags (1)
Reply

tfpblanchard
Explorer
‎06-26-2014 02:26 PM

Actually the command enable boot-start -user splunk requires a valid shell for the splunk user (the splunk process attempts to run su).
A workaround is to run enable boot-start and then to add to the file $SPLUNK_HOME/etc/splunk-launch.conf (splunk forwarder 6.1.1)

SPLUNK_OS_USER=splunk

note: this may prevent some functions from the forwarder requiring su or a valid shell (I don't know splunk enough to judge), run at your own risk.

See also: http://installingcats.com/2013/07/30/splunk-account-currently-not-available-boot-start/

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎01-06-2011 10:55 PM

Generally it is the case that Splunk does not need a shell or terminal, that's right.

Reply

edoardo_vicendo
Contributor
‎09-22-2021 05:13 AM

Yes I confirm, as of today on a CentOS 6 server we tested to modify the shell for splunk user from /bin/bash to /sbin/nologin

On this server it is running the Splunk Universal Forwarder.

After having modified the /etc/passwd file and restarted the Splunk Universal Forwarder it is still working, as well as the scripts directly launched by it.

#to modify the shell
usermod -s /sbin/nologin splunk

#to restart the Universal Forwarder
/etc/init.d/splunk restart

 

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...