Title

The SUSE operating system must not have unnecessary account capabilities. (Cat II impact)

Discussion

Accounts providing no operational purpose provide additional opportunities for system compromise. Therefore all necessary non-interactive accounts should not have an interactive shell assigned to them.

Check Content

Verify all non-interactive SUSE operating system accounts do not have an interactive shell assigned to them. Obtain the list of authorized system accounts from the Information System Security Officer (ISSO). Check the system accounts on the system with the following command: > awk -F: '($7 !~ "/sbin/nologin" && $7 !~ "/bin/false"){print $1 ":" $3 ":" $7}' /etc/passwd root:0:/bin/bash nobody:65534:/bin/bash If a non-interactive accounts such as "games" or "nobody" is listed with an interactive shell, this is a finding.

Fix Text

Configure the SUSE operating system so that all non-interactive accounts on the system have no interactive shell assigned to them. Run the following command to disable the interactive shell for a specific non-interactive user account: > sudo usermod --shell /sbin/nologin nobody

Additional Identifiers

Rule ID: SV-237606r991589_rule

Vulnerability ID: V-237606

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.