Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
RHEL 9 system accounts must not have an interactive login shell.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-258046 | RHEL-09-411035 | SV-258046r991589_rule | Medium |
| Description |
|---|
| Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts. |
| STIG | Date |
|---|---|
| Red Hat Enterprise Linux 9 Security Technical Implementation Guide | 2024-06-04 |
Details
| Check Text ( C-61787r926123_chk ) |
|---|
| Verify that system accounts must not have an interactive login shell with the following command: $ awk -F: '($3<1000){print $1 ":" $3 ":" $7}' /etc/passwd root:0:/bin/bash bin:1:/sbin/nologin daemon:2:/sbin/nologin adm:3:/sbin/nologin lp:4:/sbin/nologin Identify the system accounts from this listing that do not have a nologin shell. If any system account (other than the root account) has a login shell and it is not documented with the information system security officer (ISSO), this is a finding. |
| Fix Text (F-61711r926124_fix) |
|---|
| Configure RHEL 9 so that all noninteractive accounts on the system do not have an interactive shell assigned to them. If the system account needs a shell assigned for mission operations, document the need with the information system security officer (ISSO). Run the following command to disable the interactive shell for a specific noninteractive user account: Replace $ sudo usermod --shell /sbin/nologin Do not perform the steps in this section on the root account. Doing so will cause the system to become inaccessible. |