All shells referenced in /etc/passwd must be listed in the /etc/shells file, except any shells specified for the purpose of preventing logins.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
GEN002140-ESXI5-000046	GEN002140-ESXI5-000046	GEN002140-ESXI5-000046_rule		Medium

Description
The shells file lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot change their default shell to an unauthorized shell that may not be secure. By default, the shells file contains the only shell files in the ESXi file system, /bin/ash and /bin/sh. Users not granted shell access are assigned the shell /sbin/nologin.

STIG	Date
VMware ESXi v5 Security Technical Implementation Guide	2013-01-15

Details

Check Text ( C-GEN002140-ESXI5-000046_chk )
Disable lock down mode. Enable the ESXi Shell. = /etc/shells Available shells for ESXi are "/bin/sh" and "/bin/ash". Execute the following command(s): # ls -lL `cat /etc/shells` If /etc/shells does not exist, this is a finding. If /etc/shells exists and is empty, this is a finding. If /etc/shells exists and includes both the /bin/sh and /bin/ash shells, this is not a finding. Re-enable lock down mode.

Check Text ( C-GEN002140-ESXI5-000046_chk )

Disable lock down mode. Enable the ESXi Shell.
= /etc/shells

Available shells for ESXi are "/bin/sh" and "/bin/ash".

Execute the following command(s):
# ls -lL `cat /etc/shells`

If /etc/shells does not exist, this is a finding.

If /etc/shells exists and is empty, this is a finding.

If /etc/shells exists and includes both the /bin/sh and /bin/ash shells, this is not a finding.

Re-enable lock down mode.

Fix Text (F-GEN002140-ESXI5-000046_fix)
Disable lock down mode. Enable the ESXi Shell. = /etc/shells Available shells for ESXi are "/bin/sh" and "/bin/ash". Ensure both the above interactive shell(s) are listed in the /etc/shells file. If necessary, add them: # vi /etc/shells Re-enable lock down mode.