All shells referenced in /etc/passwd must be listed in the /etc/shells file, except any shells specified for the purpose of preventing logins.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-917 | GEN002140 | SV-63671r2_rule | Medium |
| Description |
|---|
| The shells file lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot change their default shell to an unauthorized unsecure shell. |
| STIG | Date |
|---|---|
| Oracle Linux 5 Security Technical Implementation Guide | 2020-02-25 |
Details
| Check Text ( C-52291r2_chk ) |
|---|
| Confirm the login shells referenced in the /etc/passwd file are listed in the /etc/shells file. Procedure: Determine which shells are permitted for use by users: # more /etc/shells Note: /usr/bin/false, /bin/false, /dev/null, /sbin/nologin, /bin/sync, /sbin/halt, /sbin/shutdown, (and equivalents) cannot be placed in the /etc/shells file. Determine which shells are being used: # more /etc/passwd (optionally shells found in /etc/passwd can be grepped for in /etc/shells) If any shells are found that are not in /etc/shells, or if false shells are found in /etc/shells, then this is a finding. |
| Fix Text (F-54251r1_fix) |
|---|
| Use the "chsh" utility or edit the /etc/passwd file and correct the error by changing the default shell of the account in error to an acceptable shell name contained in the /etc/shells file. Example: # chsh -s /bin/bash testuser |