3.2 Ensure the Apache User Account Has an Invalid Shell

Information

The apache account must not be used as a regular login account, and should be assigned an invalid or nologin shell to ensure that the account cannot be used to login.

Rationale:

Service accounts such as the apache account represent a risk if they can be used to get a login shell to the system.

Solution

Change the apache account to use the nologin shell or an invalid shell such as /dev/null:

# chsh -s /sbin/nologin apache

Default Value:

The default Apache user account is daemon. The daemon account may have a valid login shell or a shell of /sbin/nologin depending on the operating system distribution version.

See Also

https://workbench.cisecurity.org/files/4548

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|CM-7, 800-53|CM-7(1), 800-53|SI-7, 800-53|SI-7(1), CSCv7|4.3

Plugin: Unix

Control ID: d224c5c484a03c064845781f474e2f493b67ec32c39cfe6cefb3d5bac964b4ee