Rule ID
SV-282723r1201149_rule
Version
V1R1
CCIs
Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts.
Verify system accounts must not have an interactive login shell using the following command:
$ awk -F: '($3<1000){print $1 ":" $3 ":" $7}' /etc/passwd
root:0:/bin/bash
bin:1:/sbin/nologin
daemon:2:/sbin/nologin
adm:3:/sbin/nologin
lp:4:/sbin/nologin
Identify the system accounts from this listing that do not have a nologin or similar noninteractive shell.
If any system account (other than the root account) has a login shell and it is not documented with the information system security officer (ISSO), this is a finding.Configure TOSS 5 so that all noninteractive accounts on the system do not have an interactive shell assigned to them. If the system account needs a shell assigned for mission operations, document the need with the information system security officer (ISSO). Run the following command to disable the interactive shell for a specific noninteractive user account: Replace <user> with the user that has a login shell. $ sudo usermod --shell /sbin/nologin <user> Do not perform the steps in this section on the root account. Doing so will cause the system to become inaccessible.