2.2.3 Ensure the NGINX service account has an invalid shell

Information

The nginx account should not have the ability to log in, so the /sbin/nologin shell should be set for the account.

Rationale:

The account used for nginx should only be used for the nginx service and does not need to have the ability to log in. This prevents an attacker who compromises the account to log in with it.

Solution

Change the login shell for the nginx account to /sbin/nologin by using the following command:

usermod -s /sbin/nologin nginx

Default Value:

The nginx user has a shell of /sbin/nologin by default on RHEL systems.

See Also

https://workbench.cisecurity.org/benchmarks/17381

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1

Plugin: Unix

Control ID: 576187c2ffcf28965cb5a0355d6afd2d59fe59b0c64740f2e0a85e8b8afe2bf4