RHEL 9 system accounts must not have an interactive login shell.

An XCCDF Rule

Details
Profiles

Description

Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts.

ID: SV-258046r991589_rule
Version: RHEL-09-411035
Severity: Medium
References: CCI-000366
Updated: about 2 months ago

Remediation Templates

Configure RHEL 9 so that all noninteractive accounts on the system do not have an interactive shell assigned to them.

If the system account needs a shell assigned for mission operations, document the need with the information system security officer (ISSO).

Run the following command to disable the interactive shell for a specific noninteractive user account:
Replace <user> with the user that has a login shell.

$ sudo usermod --shell /sbin/nologin <user>

Do not perform the steps in this section on the root account. Doing so will cause the system to become inaccessible.

RHEL 9 system accounts must not have an interactive login shell.

Description

Remediation Templates

A Manual Procedure