AlmaLinux OS 9 system accounts must not have an interactive login shell.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-269300 | ALMA-09-024990 | SV-269300r1050182_rule | CCI-000366 | medium |
| Description | ||||
| Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts. | ||||
| STIG | Date | |||
| CloudLinux AlmaLinux OS 9 Security Technical Implementation Guide | 2025-05-22 | |||
Details
Check Text (C-269300r1050182_chk)
Verify that system accounts must not have an interactive login shell with the following command:
$ awk -F: '($3<1000){print $1 ":" $3 ":" $7}' /etc/passwd
root:0:/bin/bash
bin:1:/sbin/nologin
daemon:2:/sbin/nologin
adm:3:/sbin/nologin
lp:4:/sbin/nologin
sync:5:/bin/sync
shutdown:6:/sbin/shutdown
halt:7:/sbin/halt
mail:8:/sbin/nologin
operator:11:/sbin/nologin
games:12:/sbin/nologin
ftp:14:/sbin/nologin
systemd-coredump:999:/sbin/nologin
dbus:81:/sbin/nologin
polkitd:998:/sbin/nologin
tss:59:/sbin/nologin
sssd:997:/sbin/nologin
unbound:996:/sbin/nologin
fapolicyd:995:/sbin/nologin
postfix:89:/sbin/nologin
sshd:74:/sbin/nologin
chrony:994:/sbin/nologin
systemd-oom:989:/usr/sbin/nologin
Identify the system accounts from this listing that do not have a nologin shell.
If any system account (other than the root account) has a login shell and it is not documented with the information system security officer (ISSO), this is a finding.
Fix Text (F-73232r1049468_fix)
Configure AlmaLinux OS 9 so that all noninteractive accounts on the system do not have an interactive shell assigned to them.
If the system account needs a shell assigned for mission operations, document the need with the ISSO.
Run the following command to disable the interactive shell for a specific noninteractive user account, replacing <user> with the user that has a login shell.
$ usermod --shell /sbin/nologin <user>
Do not perform the steps in this section on the root account. Doing so will cause the system to become inaccessible.