5.4.3.1 Ensure nologin is not listed in /etc/shells

Information

/etc/shells is a text file which contains the full pathnames of valid login shells. This file is consulted by chsh and available to be queried by other programs.

Be aware that there are programs which consult this file to find out if a user is a normal user; for example, FTP daemons traditionally disallow access to users with shells not included in this file.

A user can use chsh to change their configured shell.

If a user has a shell configured that isn't in in /etc/shells then the system assumes that they're somehow restricted. In the case of chsh it means that the user cannot change that value.

Other programs might query that list and apply similar restrictions.

By putting nologin in /etc/shells any user that has nologin as its shell is considered a full, unrestricted user. This is not the expected behavior for nologin

Solution

Edit /etc/shells and remove any lines that include nologin

See Also

https://workbench.cisecurity.org/benchmarks/18960

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: Unix

Control ID: cf2dfcbf3ad846a1b559d96ba9512f99a01ad6e3d4db527d691dbc2ac405f292