Add rule no_invalid_shell_accounts_unlocked

ComplianceAsCode · Jan 23, 2025 · 98b4292 · 98b4292
1 parent 2edb023
commit 98b4292
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 2 deletions.
diff --git a/components/pam.yml b/components/pam.yml
@@ -185,6 +185,7 @@ rules:
 - no_empty_passwords
 - no_empty_passwords_etc_shadow
 - no_forward_files
+- no_invalid_shell_accounts_unlocked
 - no_legacy_plus_entries_etc_group
 - no_legacy_plus_entries_etc_passwd
 - no_legacy_plus_entries_etc_shadow

diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
@@ -2208,8 +2208,11 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    status: planned
-    notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile.
+    rules:
+      - no_invalid_shell_accounts_unlocked
+    status: automated
+    notes: |
+      Remediation is not automated.
 
   - id: 5.4.3.1
     title: Ensure nologin is not listed in /etc/shells (Automated)

diff --git a/...em/accounts/accounts-restrictions/root_logins/no_invalid_shell_accounts_unlocked/rule.yml b/...em/accounts/accounts-restrictions/root_logins/no_invalid_shell_accounts_unlocked/rule.yml
@@ -0,0 +1,20 @@
+documentation_complete: true
+
+title: 'Verify Non-Interactive Accounts Are Locked'
+
+description: |-
+    Accounts meant for non-interactive purposes should be locked to prevent
+    unauthorized access. Accounts with non-standard shells (those not defined in
+    <tt>/etc/shells</tt>) should be locked using <tt>usermod -L</tt>.
+
+rationale: |-
+    Locking non-interactive accounts improves security by preventing potential
+    misuse. While many systems configure these accounts with invalid strings,
+    setting the shell field to <tt>nologin</tt> is also suggested
+
+severity: medium
+
+warnings:
+    - general: |-
+        Automatic remediation of this control is not recommended. Locking system accounts
+        could be highly disruptive.