{"description": "Some accounts are not associated with a human user of the system, and exist to perform some\nadministrative functions. Should an attacker be able to log into these accounts, they should\nnot be granted access to a shell.\n<br/><br/>\nThe login shell for each local account is stored in the last field of each line in\n<tt>/etc/passwd</tt>. System accounts are those user accounts with a user ID less than\n<tt>1000</tt>. The user ID is stored in the third field. If any system account\nother than <tt>root</tt> has a login shell, disable it with the command:\n<pre>$ sudo usermod -s /sbin/nologin <i>account</i></pre>", "rationale": "Ensuring shells are not given to system accounts upon login makes it more difficult for\nattackers to make use of system accounts.", "severity": "medium", "references": {"cis-csc": ["1", "12", "13", "14", "15", "16", "18", "3", "5", "7", "8"], "cobit5": ["DSS01.03", "DSS03.05", "DSS05.04", "DSS05.05", "DSS05.07", "DSS06.03"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 6.2"], "iso27001-2013": ["A.12.4.1", "A.12.4.3", "A.6.1.2", "A.7.1.1", "A.9.1.2", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.1", "A.9.4.2", "A.9.4.3", "A.9.4.4", "A.9.4.5"], "nist": ["AC-6", "CM-6(a)", "CM-6(b)", "CM-6.1(iv)"], "nist-csf": ["DE.CM-1", "DE.CM-3", "PR.AC-1", "PR.AC-4", "PR.AC-6"], "srg": ["SRG-OS-000480-GPOS-00227"], "cis": ["5.4.2.7"], "ism": ["1491"], "pcidss4": ["8.2.2", "8.2"]}, "control_references": {"cis": ["5.4.2.7"], "ism": ["1491"], "pcidss4": ["8.2.2", "8.2"]}, "components": [], "identifiers": {}, "ocil_clause": "any system account other than root has a login shell", "ocil": "To obtain a listing of all users, their UIDs, and their shells, run the command:\n<pre>$ awk -F: '{print $1 \":\" $3 \":\" $7}' /etc/passwd</pre>\nIdentify the system accounts from this listing. These will primarily be the accounts with UID\nnumbers less than 1000, other than root.", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 so that all non-interactive accounts on the system have no interactive shell assigned to them.\n\nRun the following command to disable the interactive shell for a specific non-interactive user account:\n\n$ sudo usermod --shell /sbin/nologin account", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 system accounts must not have have login shell.", "warnings": [{"functionality": "Do not perform the steps in this section on the root account. Doing so might cause the\nsystem to become inaccessible."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 system accounts must not have an interactive login shell.", "vuldiscussion": "Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts.", "checktext": "Verify that system accounts must not have an interactive login shell with the following command:\n\n$ awk -F: '($3&lt;1000){print $1 \":\" $3 \":\" $7}' /etc/passwd\n\nroot:0:/bin/bash\nbin:1:/sbin/nologin\ndaemon:2:/sbin/nologin\nadm:3:/sbin/nologin\nlp:4:/sbin/nologin\n\nIdentify the system accounts from this listing that do not have a nologin shell.\n\nIf any system account (other than the root account) has a login shell and it is not documented with the information system security officer (ISSO), this is a finding.", "fixtext": "Configure Ubuntu 22.04 so that all noninteractive accounts on the system do not have an interactive shell assigned to them.\n\nIf the system account needs a shell assigned for mission operations, document the need with the information system security officer (ISSO).\n\nRun the following command to disable the interactive shell for a specific noninteractive user account:\n\nReplace &lt;user&gt; with the user that has a login shell.\n\n$ sudo usermod --shell /sbin/nologin &lt;user&gt;\n\nDo not perform the steps in this section on the root account. Doing so will cause the system to become inaccessible."}}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Ensure that System Accounts Do Not Run a Shell Upon Login", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml", "template": null}