3.2 Ensure the Apache User Account Has an Invalid Shell

Information

The 'apache' account must not be used as a regular login account, so it should be assigned an invalid or 'nologin' shell to ensure it cannot be used to log in.

Rationale:

Service accounts such as the 'apache' account are a risk if they can be used to get a login shell to the system.

Solution

Change the 'apache' account to use the 'nologin' shell or an invalid shell such as '/dev/null':

# chsh -s /sbin/nologin apache

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(9), CSCv6|16, CSCv7|4.3

Plugin: Unix

Control ID: 19b353375c938d98b2a2ad843832701cb83e115e551c1ffe5c04a15472d595c6