mediumaccess-controlverified ✓
Ensure accounts without a valid login shell are locked
accounts-locked-no-shell · RHEL ≥ 8 · 1 impl
Description
Accounts that have a non-interactive shell (like nologin or false) should also be locked to prevent any form of authentication.
Rationale
Even with a non-interactive shell, an unlocked account could potentially be exploited through services that don't require a shell.
Check → Remediate
Checkcommand
# Find accounts with nologin/false shell that are not locked
unlocked=""
while IFS=: read -r user _ uid _ _ _ shell; do
# Skip root and system accounts below UID 1000 that might need special handling
[ "$user" = "root" ] && continue
# Check if shell is nologin or false
if echo "$shell" | grep -qE '(nologin|false)$'; then
# Check if account is locked (password starts with ! or *)
passwd_entry=$(grep "^${user}:" /etc/shadow 2>/dev/null | cut -d: -f2)
if ! echo "$passwd_entry" | grep -qE '^[!*]'; then
unlocked="$unlocked $user"
fi
fi
done < /etc/passwd
if [ -n "$unlocked" ]; then
echo "FAIL: Accounts with nologin shell not locked:$unlocked"
exit 1
fi
echo "OK: All nologin accounts are locked"
exit 0
- expected_exit:
- 0
Remediatemanual
- note:
- Lock accounts with nologin shell using: passwd -l <username>
Framework references
CIS
rhel9 5.4.2.8rhel10 5.4.2.8rhel8 5.4.2.8
NIST 800-53
AC-6IA-4
Live verification
rhel10:checkrhel8:checkrhel9:check
#accounts#shell#locked#security