The SUSE operating system must not have unnecessary account capabilities.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-234875 | SLES-15-020091 | SV-234875r991589_rule | CCI-000366 | medium |
| Description | ||||
| Accounts providing no operational purpose provide additional opportunities for system compromise. Therefore all necessary non interactive accounts should not have an interactive shell assigned to them. | ||||
| STIG | Date | |||
| SUSE Linux Enterprise Server 15 Security Technical Implementation Guide | 2025-05-14 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-6
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
- DISA · 2 · disa_xccdf · related
Details
Check Text (C-234875r991589_chk)
Verify all non-interactive SUSE operating system accounts do not have an interactive shell assigned to them.
Obtain the list of authorized system accounts from the Information System Security Officer (ISSO).
Check the system accounts on the system with the following command:
> awk -F: '($7 !~ "/sbin/nologin" && $7 !~ "/bin/false"){print $1 ":" $3 ":" $7}' /etc/passwd
root:0:/bin/bash
nobody:65534:/bin/bash
If a non-interactive accounts such as "games" or "nobody" is listed with an interactive shell, this is a finding.
Fix Text (F-38026r618895_fix)
Configure the SUSE operating system so that all non-interactive accounts on the system have no interactive shell assigned to them.
Run the following command to disable the interactive shell for a specific non-interactive user account:
> sudo usermod --shell /sbin/nologin nobody