SLEM 5 must not have unnecessary account capabilities.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-261358	SRG-OS-000480-GPOS-00227	SLEM-05-411060	SV-261358r996829_rule	2024-06-04	1

Description
Accounts providing no operational purpose provide additional opportunities for system compromise. Therefore all necessary noninteractive accounts should not have an interactive shell assigned to them.

ℹ️ Check
Verify all noninteractive SLEM 5 accounts do not have an interactive shell assigned to them with the following command: Check the system accounts on the system. > awk -F: '($7 !~ "/sbin/nologin" && $7 !~ "/bin/false"){print $1 ":" $3 ":" $7}' /etc/passwd root:0:/bin/bash nobody:65534:/bin/bash Obtain the list of authorized system accounts from the information system security officer (ISSO). If noninteractive accounts such as "games" or "nobody" are listed with an interactive shell, this is a finding.

ℹ️ Check

Verify all noninteractive SLEM 5 accounts do not have an interactive shell assigned to them with the following command: Check the system accounts on the system. > awk -F: '($7 !~ "/sbin/nologin" && $7 !~ "/bin/false"){print $1 ":" $3 ":" $7}' /etc/passwd root:0:/bin/bash nobody:65534:/bin/bash Obtain the list of authorized system accounts from the information system security officer (ISSO). If noninteractive accounts such as "games" or "nobody" are listed with an interactive shell, this is a finding.

✔️ Fix
Configure SLEM 5 so that all noninteractive accounts on the system have no interactive shell assigned to them. Run the following command to disable the interactive shell for a specific noninteractive user account: > sudo usermod --shell /sbin/nologin nobody