Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
All shells referenced in /etc/passwd must be listed in the /etc/shells file, except any shells specified for the purpose of preventing logins.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| GEN002140-ESXI5-000046 | GEN002140-ESXI5-000046 | GEN002140-ESXI5-000046_rule | Medium |
| Description |
|---|
| The shells file lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot change their default shell to an unauthorized shell that may not be secure. By default, the shells file contains the only shell files in the ESXi file system, /bin/ash and /bin/sh. Users not granted shell access are assigned the shell /sbin/nologin. |
| STIG | Date |
|---|---|
| VMware ESXi v5 Security Technical Implementation Guide | 2013-01-15 |
Details
| Check Text ( C-GEN002140-ESXI5-000046_chk ) |
|---|
| Disable lock down mode. Enable the ESXi Shell. Available shells for ESXi are "/bin/sh" and "/bin/ash". Execute the following command(s): # ls -lL `cat /etc/shells` If /etc/shells does not exist, this is a finding. If /etc/shells exists and is empty, this is a finding. If /etc/shells exists and includes both the /bin/sh and /bin/ash shells, this is not a finding. Re-enable lock down mode. |
| Fix Text (F-GEN002140-ESXI5-000046_fix) |
|---|
| Disable lock down mode. Enable the ESXi Shell. Available shells for ESXi are "/bin/sh" and "/bin/ash". Ensure both the above interactive shell(s) are listed in the /etc/shells file. If necessary, add them: # vi /etc/shells Re-enable lock down mode. |