Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-917 | GEN002140 | SV-37393r1_rule | ECSC-1 | Medium |
Description |
---|
The shells file lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot change their default shell to an unauthorized unsecure shell. |
STIG | Date |
---|---|
Red Hat Enterprise Linux 5 Security Technical Implementation Guide | 2013-07-03 |
Check Text ( C-36080r2_chk ) |
---|
Confirm the login shells referenced in the /etc/passwd file are listed in the /etc/shells file. Procedure: # for USHELL in `cut -d: -f7 /etc/passwd`; do if [ $(grep -c "${USHELL}" /etc/shells) == 0 ]; then echo "${USHELL} not in /etc/shells"; fi; done The /usr/bin/false, /bin/false, /dev/null, /sbin/nologin, /bin/sync, /sbin/halt, /sbin/shutdown, (and equivalents), and sdshell will be considered valid shells for use in the /etc/passwd file, but will not be listed in the /etc/shells file. If a shell referenced in /etc/passwd is not listed in the shells file, excluding the above mentioned shells, this is a finding. |
Fix Text (F-31324r2_fix) |
---|
Use the "chsh" utility or edit the /etc/passwd file and correct the error by changing the default shell of the account in error to an acceptable shell name contained in the /etc/shells file. Example: # chsh -s /bin/bash testuser |