Skip to content

5.4.2.8 Ensure accounts without a valid login shell are locked

Audit#

Run the following script to verify all non-root accounts without a valid login shell are locked. 

1
2
3
4
5
6
7
8
#!/usr/bin/env bash
{
l_valid_shells="^($(awk -F\/ '$NF != "nologin" {print}' /etc/shells | sed -rn '/^\//{s,/,\\\\/,g;p}' | paste -s -d '|' - ))$"
while IFS= read -r l_user; do
passwd -S "$l_user" | awk '$2 !~ /^L/ {system ("usermod -L " $1)}'
done < <(awk -v pat="$l_valid_shells" -F: '($1 != "root" && $(NF) !~ pat)
{print $1}' /etc/passwd)
}
Nothing should be returned

Remediation#

Run the following command to lock any non-root accounts without a valid login shell returned by the audit: 

# usermod -L <user>

Example script: 

1
2
3
4
5
6
7
8
#!/usr/bin/env bash
{
l_valid_shells="^($(awk -F\/ '$NF != "nologin" {print}' /etc/shells | sed -rn '/^\//{s,/,\\\\/,g;p}' | paste -s -d '|' - ))$"
while IFS= read -r l_user; do
passwd -S "$l_user" | awk '$2 !~ /^L/ {system ("usermod -L " $1)}'
done < <(awk -v pat="$l_valid_shells" -F: '($1 != "root" && $(NF) !~ pat)
{print $1}' /etc/passwd)
}