← Rules Catalog
mediumaccess-controlverified

Ensure system accounts are non-login

nologin-system-accounts · RHEL ≥ 8 · 1 impl

Description

System accounts (UID < 1000) that are not root should have a non-login shell such as /sbin/nologin or /bin/false to prevent interactive access.

Rationale

System accounts are typically used for running services and should not allow interactive login. Setting a non-login shell prevents potential abuse of these accounts.

Check → Remediate

Checkcommand
bad=$(awk -F: '$3 > 0 && $3 < 1000 && $7 != "/sbin/nologin" && $7 != "/bin/false" && $7 != "/usr/sbin/nologin" {print $1 ":" $7}' /etc/passwd)
if [ -n "$bad" ]; then
  echo "FAIL: system accounts with login shell:"
  echo "$bad"
  exit 1
fi
echo "OK: all system accounts have non-login shell"
expected_exit:
0
Remediatemanual
note:
Set shell to /sbin/nologin for system accounts that should not have interactive login: usermod -s /sbin/nologin <username> Run this to find accounts needing update: awk -F: '$3 > 0 && $3 < 1000 && $7 !~ /nologin|false/ {print $1}' /etc/passwd

Framework references

CIS

rhel8 5.4.2.7rhel9 5.4.2.7rhel10 5.4.2.7

STIG

V-281168 / RHEL-10-600020V-258046V-230379

NIST 800-53

AC-6

Live verification

rhel10:checkrhel8:checkrhel9:check
#user-accounts#system-accounts#shell#security