AlmaLinux OS 9 system accounts must not have an interactive login shell.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-269300 | SRG-OS-000480-GPOS-00227 | ALMA-09-024990 | SV-269300r1050182_rule | 2025-02-20 | 1 |
| Description |
|---|
| Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts. |
| ℹ️ Check |
|---|
| Verify that system accounts must not have an interactive login shell with the following command: $ awk -F: '($3<1000){print $1 ":" $3 ":" $7}' /etc/passwd root:0:/bin/bash bin:1:/sbin/nologin daemon:2:/sbin/nologin adm:3:/sbin/nologin lp:4:/sbin/nologin sync:5:/bin/sync shutdown:6:/sbin/shutdown halt:7:/sbin/halt mail:8:/sbin/nologin operator:11:/sbin/nologin games:12:/sbin/nologin ftp:14:/sbin/nologin systemd-coredump:999:/sbin/nologin dbus:81:/sbin/nologin polkitd:998:/sbin/nologin tss:59:/sbin/nologin sssd:997:/sbin/nologin unbound:996:/sbin/nologin fapolicyd:995:/sbin/nologin postfix:89:/sbin/nologin sshd:74:/sbin/nologin chrony:994:/sbin/nologin systemd-oom:989:/usr/sbin/nologin Identify the system accounts from this listing that do not have a nologin shell. If any system account (other than the root account) has a login shell and it is not documented with the information system security officer (ISSO), this is a finding. |
| ✔️ Fix |
|---|
| Configure AlmaLinux OS 9 so that all noninteractive accounts on the system do not have an interactive shell assigned to them. If the system account needs a shell assigned for mission operations, document the need with the ISSO. Run the following command to disable the interactive shell for a specific noninteractive user account, replacing <user> with the user that has a login shell. $ usermod --shell /sbin/nologin <user> Do not perform the steps in this section on the root account. Doing so will cause the system to become inaccessible. |