← Rules Catalog
mediumaccess-controlverified

Ensure nologin is not listed in /etc/shells

nologin-not-in-shells · RHEL ≥ 8 · 1 impl

Description

The /etc/shells file should not contain nologin shell paths, as these are intended to prevent interactive logins.

Rationale

Including nologin in /etc/shells could allow FTP or other services to accept logins for accounts that should not have interactive access.

Check → Remediate

Checkcommand
if grep -qE '(nologin|false)$' /etc/shells 2>/dev/null; then
  echo "FAIL: nologin or false found in /etc/shells"
  grep -E '(nologin|false)$' /etc/shells
  exit 1
fi
echo "OK: nologin not in /etc/shells"
exit 0
expected_exit:
0
Remediatecommand_exec
sed -i '/nologin$/d; /false$/d' /etc/shells

Framework references

CIS

rhel9 5.4.3.1rhel10 5.4.3.1rhel8 5.4.3.1

NIST 800-53

CM-6AC-3

Live verification

rhel10:checkrhel9:check
#shells#nologin#authentication#security