GEN002140-ESXI5-000046 - All shells referenced in /etc/passwd must be listed in the /etc/shells file, except any shells specified for the purpose of preventing logins.

Information

The shells file lists approved default shells. It helps provide layered defense to the security approach by ensuring users cannot change their default shell to an unauthorized shell that may not be secure. By default, the shells file contains the only shell files in the ESXi file system, /bin/ash and /bin/sh. Users not granted shell access are assigned the shell /sbin/nologin.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Disable lock down mode.
Enable the ESXi Shell.
<file> = /etc/shells
Available shells for ESXi are '/bin/sh' and '/bin/ash'.

Ensure both the above interactive shell(s) are listed in the /etc/shells file. If necessary, add them:
# vi /etc/shells

Re-enable lock down mode.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_ESXi5_Server_V2R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Group-ID|V-39276, Rule-ID|SV-250580r798739_rule, STIG-ID|GEN002140-ESXI5-000046, STIG-Legacy|SV-51092, STIG-Legacy|V-39276, Vuln-ID|V-250580

Plugin: VMware

Control ID: 36183988e0898431b83124d40377ab026f39ebe1f10df73b60d3298ddfeabf52