3.2 Ensure the Apache User Account Has an Invalid Shell

Information

The 'apache' account must not be used as a regular login account, so it should be assigned an invalid or 'nologin' shell to ensure it cannot be used to log in.

Rationale:

Service accounts such as the 'apache' account are a risk if they can be used to get a login shell to the system.

Solution

Change the 'apache' account to use the 'nologin' shell or an invalid shell such as '/dev/null':

# chsh -s /sbin/nologin apache

See Also

https://workbench.cisecurity.org/files/2378