Skip to content

Ensure that System Accounts Do Not Run a Shell Upon Login

An XCCDF Rule

Description

Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. Should an attacker be able to log into these accounts, they should not be granted access to a shell.

The login shell for each local account is stored in the last field of each line in /etc/passwd. System accounts are those user accounts with a user ID less than 1000. The user ID is stored in the third field. If any system account other than root has a login shell, disable it with the command:

$ sudo usermod -s /sbin/nologin account

warning alert: Functionality Warning

Do not perform the steps in this section on the root account. Doing so might cause the system to become inaccessible.

Rationale

Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts.

ID
xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
Severity
Medium
References
Updated