Information
It is important to make sure that accounts that are not being used by regular users are prevented from being used to provide an interactive shell. By default, CentOS 6 sets the password field for these accounts to an invalid string, but it is also recommended that the shell field in the password file be set to /sbin/nologin. This prevents the account from potentially being used to run any commands.
Solution
Set the shell for any accounts returned by the audit script to /sbin/nologin:
# usermod -s /sbin/nologin <user>
The following script will automatically set all user shells required to /sbin/nologin and lock the sync, shutdown, and halt users:
#!/bin/bash
for user in `awk -F: '($3 < 500) {print $1 }' /etc/passwd`; do
if [ $user != 'root' ]; then
usermod -L $user
if [ $user != 'sync' ] && [ $user != 'shutdown' ] && [ $user != 'halt' ]; then
usermod -s /sbin/nologin $user
fi
fi
done