STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 4 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Red Hat Enterprise Linux 10 Security Technical Implementation Guide

V-281168

CAT II (Medium)

RHEL 10 must not assign an interactive login shell for system accounts.

Rule ID

SV-281168r1195416_rule

STIG

Red Hat Enterprise Linux 10 Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-002696

Discussion

Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to use system accounts.

Check Content

Verify RHEL 10 system accounts do not have an interactive login shell with the following command:

$ awk -F: '($3<1000){print $1 ":" $3 ":" $7}' /etc/passwd
root:0:/bin/bash
bin:1:/sbin/nologin
daemon:2:/sbin/nologin
adm:3:/sbin/nologin
lp:4:/sbin/nologin

Identify the listed system accounts that have a shell other than nologin.

If any system account (other than the root account) has a login shell and it is not documented with the information system security officer (ISSO), this is a finding.

Fix Text

Configure RHEL 10 so that all noninteractive accounts on the system do not have an interactive shell assigned to them.

If the system account needs a shell assigned for mission operations, document the need with the ISSO.

Run the following command to disable the interactive shell for a specific noninteractive user account:

Replace <user> with the user that has a login shell.

$ sudo usermod --shell /sbin/nologin <user>

Do not perform the steps in this section on the root account. Doing so will cause the system to become inaccessible.