3.2 Ensure the Apache User Account Has an Invalid Shell

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


The apache account must not be used as a regular login account, and should be assigned an invalid or nologin shell to ensure that the account cannot be used to login.


Service accounts such as the apache account represent a risk if they can be used to get a login shell to the system.


Change the apache account to use the nologin shell or an invalid shell such as /dev/null:

# chsh -s /sbin/nologin apache

Default Value:

The default Apache user account is daemon. The daemon account may have a valid login shell or a shell of /sbin/nologin depending on the operating system distribution version.

See Also