TOSS 5 system accounts must not have an interactive login shell.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-282723TOSS-05-000296SV-282723r1201149_ruleCCI-000366medium
Description
Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts.
STIGDate
Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide2026-04-01

Details

Check Text (C-282723r1201149_chk)

Verify system accounts must not have an interactive login shell using the following command: $ awk -F: '($3<1000){print $1 ":" $3 ":" $7}' /etc/passwd root:0:/bin/bash bin:1:/sbin/nologin daemon:2:/sbin/nologin adm:3:/sbin/nologin lp:4:/sbin/nologin Identify the system accounts from this listing that do not have a nologin or similar noninteractive shell. If any system account (other than the root account) has a login shell and it is not documented with the information system security officer (ISSO), this is a finding.

Fix Text (F-87189r1201148_fix)

Configure TOSS 5 so that all noninteractive accounts on the system do not have an interactive shell assigned to them. If the system account needs a shell assigned for mission operations, document the need with the information system security officer (ISSO). Run the following command to disable the interactive shell for a specific noninteractive user account: Replace <user> with the user that has a login shell. $ sudo usermod --shell /sbin/nologin <user> Do not perform the steps in this section on the root account. Doing so will cause the system to become inaccessible.