mediumaccess-controlverified ✓
Ensure system accounts are non-login
nologin-system-accounts · RHEL ≥ 8 · 1 impl
Description
System accounts (UID < 1000) that are not root should have a non-login shell such as /sbin/nologin or /bin/false to prevent interactive access.
Rationale
System accounts are typically used for running services and should not allow interactive login. Setting a non-login shell prevents potential abuse of these accounts.
Check → Remediate
Checkcommand
bad=$(awk -F: '$3 > 0 && $3 < 1000 && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 != "/usr/sbin/nologin" {print $1 ":" $7}' /etc/passwd)
if [ -n "$bad" ]; then
echo "FAIL: system accounts with login shell:"
echo "$bad"
exit 1
fi
echo "OK: all system accounts have non-login shell"
- expected_exit:
- 0
Remediatemanual
- note:
- Set shell to /sbin/nologin for system accounts that should not have interactive login: usermod -s /sbin/nologin <username> Run this to find accounts needing update: awk -F: '$3 > 0 && $3 < 1000 && $7 !~ /nologin|false/ {print $1}' /etc/passwd
Framework references
CIS
rhel8 5.4.2.7rhel9 5.4.2.7rhel10 5.4.2.7
STIG
V-281168 / RHEL-10-600020V-258046V-230379
NIST 800-53
AC-6
Live verification
rhel10:checkrhel8:checkrhel9:check
#user-accounts#system-accounts#shell#security