Detections
Analytics

1.271 RHEL-09-411035

Information

RHEL 9 system accounts must not have an interactive login shell.

GROUP ID: V-258046
RULE ID: SV-258046r991589

Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure RHEL 9 so that all noninteractive accounts on the system do not have an interactive shell assigned to them.

If the system account needs a shell assigned for mission operations, document the need with the information system security officer (ISSO).

Run the following command to disable the interactive shell for a specific noninteractive user account:

Replace with the user that has a login shell.

$ sudo usermod --shell /sbin/nologin <user>

Do not perform the steps in this section on the root account. Doing so will cause the system to become inaccessible.

See Also

https://workbench.cisecurity.org/benchmarks/22008

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-258046r991589_rule, STIG-ID|RHEL-09-411035, Vuln-ID|V-258046

Plugin: Unix

Control ID: 2842c8b25e214ca9ab98089be4d898e98f686f0b63da24add5998666a0c23b1a