← Rules Catalog
mediumaccess-controlverified

Ensure accounts without a valid login shell are locked

accounts-locked-no-shell · RHEL ≥ 8 · 1 impl

Description

Accounts that have a non-interactive shell (like nologin or false) should also be locked to prevent any form of authentication.

Rationale

Even with a non-interactive shell, an unlocked account could potentially be exploited through services that don't require a shell.

Check → Remediate

Checkcommand
# Find accounts with nologin/false shell that are not locked
unlocked=""
while IFS=: read -r user _ uid _ _ _ shell; do
  # Skip root and system accounts below UID 1000 that might need special handling
  [ "$user" = "root" ] && continue
  # Check if shell is nologin or false
  if echo "$shell" | grep -qE '(nologin|false)$'; then
    # Check if account is locked (password starts with ! or *)
    passwd_entry=$(grep "^${user}:" /etc/shadow 2>/dev/null | cut -d: -f2)
    if ! echo "$passwd_entry" | grep -qE '^[!*]'; then
      unlocked="$unlocked $user"
    fi
  fi
done < /etc/passwd
if [ -n "$unlocked" ]; then
  echo "FAIL: Accounts with nologin shell not locked:$unlocked"
  exit 1
fi
echo "OK: All nologin accounts are locked"
exit 0
expected_exit:
0
Remediatemanual
note:
Lock accounts with nologin shell using: passwd -l <username>

Framework references

CIS

rhel9 5.4.2.8rhel10 5.4.2.8rhel8 5.4.2.8

NIST 800-53

AC-6IA-4

Live verification

rhel10:checkrhel8:checkrhel9:check
#accounts#shell#locked#security