Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-917 | GEN002140 | SV-45171r1_rule | Medium |
Description |
---|
The shells file lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot change their default shell to an unauthorized unsecure shell. |
STIG | Date |
---|---|
SUSE Linux Enterprise Server v11 for System z | 2016-12-20 |
Check Text ( C-42516r1_chk ) |
---|
Confirm the login shells referenced in the /etc/passwd file are listed in the /etc/shells file. Procedure: # for USHELL in `cut -d: -f7 /etc/passwd`; do if [ $(grep -c "${USHELL}" /etc/shells) == 0 ]; then echo "${USHELL} not in /etc/shells"; fi; done The /usr/bin/false, /bin/false, /dev/null, /sbin/nologin, /bin/sync, /sbin/halt, /sbin/shutdown, (and equivalents), and sdshell will be considered valid shells for use in the /etc/passwd file, but will not be listed in the /etc/shells file. If a shell referenced in /etc/passwd is not listed in the shells file, excluding the above mentioned shells, this is a finding. |
Fix Text (F-38569r2_fix) |
---|
Use the YaST > Security and Users > User and Group Management module to change the default shell of any account in error to an acceptable shell. OR Use the "chsh" utility or edit the /etc/passwd file and correct the error by changing the default shell of the account in error to an acceptable shell name contained in the /etc/shells file. |