Skip to content

4503-nginx-nologin - Ensure the NGINX service account shell is invalid


Rule ID

  • 4503-nginx-nologin

Category

  • nginx

Level

  • warn

Compatible Versions

  • Linux

Description

  • The nginx account should not be able to log in, so the shell for this account should be set to /sbin/nologin.

Scan Frequency

  • 0 */30 * * *

Theoretical Basis

  • The account used for nginx should only be used for the nginx service and does not need login capabilities. This can prevent attackers from using the account to log in.

Risk Items

  • nginx security

Audit Method

  • Execute the following command to verify:
grep nginx /etc/passwd

Remediation

  • Execute the following command:
    #> chsh -s /sbin/nologin nginx
    

Impact

  • This ensures that the nginx user account cannot be used by human users.

Default Value

  • By default, the shell for the nginx user is /sbin/nologin.

References

CIS Controls

  • None

Feedback

Is this page helpful? ×