3.2 Ensure the Apache User Account Has an Invalid Shell

Information

The apache account must not be used as a regular login account, and should be assigned an invalid or nologin shell to ensure that the account cannot be used to login.

Rationale:

Service accounts such as the apache account represent a risk if they can be used to get a login shell to the system.

Solution

Change the apache account to use the nologin shell or an invalid shell such as /dev/null:

# chsh -s /sbin/nologin apache

Default Value:

The default Apache user account is daemon. The daemon account may have a valid login shell or a shell of /sbin/nologin depending on the operating system distribution version.

See Also

https://workbench.cisecurity.org/files/3021