mediumaccess-controlverified ✓
Ensure nologin is not listed in /etc/shells
nologin-not-in-shells · RHEL ≥ 8 · 1 impl
Description
The /etc/shells file should not contain nologin shell paths, as these are intended to prevent interactive logins.
Rationale
Including nologin in /etc/shells could allow FTP or other services to accept logins for accounts that should not have interactive access.
Check → Remediate
Checkcommand
if grep -qE '(nologin|false)$' /etc/shells 2>/dev/null; then echo "FAIL: nologin or false found in /etc/shells" grep -E '(nologin|false)$' /etc/shells exit 1 fi echo "OK: nologin not in /etc/shells" exit 0
- expected_exit:
- 0
Remediatecommand_exec
sed -i '/nologin$/d; /false$/d' /etc/shells
Framework references
CIS
rhel9 5.4.3.1rhel10 5.4.3.1rhel8 5.4.3.1
NIST 800-53
CM-6AC-3
Live verification
rhel10:checkrhel9:check
#shells#nologin#authentication#security