Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
All shells referenced in /etc/passwd must be listed in the /etc/shells file, except any shells specified for the purpose of preventing logins.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-917 | GEN002140 | SV-45171r1_rule | Medium |
| Description |
|---|
| The shells file lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot change their default shell to an unauthorized unsecure shell. |
| STIG | Date |
|---|---|
| SUSE Linux Enterprise Server v11 for System z | 2016-12-20 |
Details
| Check Text ( C-42516r1_chk ) |
|---|
| Confirm the login shells referenced in the /etc/passwd file are listed in the /etc/shells file. Procedure: # for USHELL in `cut -d: -f7 /etc/passwd`; do if [ $(grep -c "${USHELL}" /etc/shells) == 0 ]; then echo "${USHELL} not in /etc/shells"; fi; done The /usr/bin/false, /bin/false, /dev/null, /sbin/nologin, /bin/sync, /sbin/halt, /sbin/shutdown, (and equivalents), and sdshell will be considered valid shells for use in the /etc/passwd file, but will not be listed in the /etc/shells file. If a shell referenced in /etc/passwd is not listed in the shells file, excluding the above mentioned shells, this is a finding. |
| Fix Text (F-38569r2_fix) |
|---|
| Use the YaST > Security and Users > User and Group Management module to change the default shell of any account in error to an acceptable shell. OR Use the "chsh" utility or edit the /etc/passwd file and correct the error by changing the default shell of the account in error to an acceptable shell name contained in the /etc/shells file. |