A Linux administrator is hardening a new server that runs several daemons, including a web server and a database. Each service runs under its own dedicated, non-root user account. To MOST effectively minimize the server's attack surface related to these accounts, which of the following actions should the administrator take?
Changing the home directory permissions of the service accounts to 700.
Setting a strong, unique password for each service account.
Configuring PAM modules to limit the access times for the service accounts.
Changing the login shell of the service accounts to /sbin/nologin.
Setting a strong, unique password for service accounts is an important security measure. However, the best and most secure practice is to disable interactive login capabilities entirely for service accounts. This is achieved by changing the account's shell to /sbin/nologin or /bin/false. This change prevents the account from being used for an interactive session (like via SSH or at the console) while still allowing the system to use the account context to run its designated service. This method is superior because it removes the login capability altogether, mitigating risks from compromised passwords or SSH keys for interactive access. Restrictive home directory permissions and PAM configurations are also good security practices, but they do not prevent interactive logins as effectively as setting a non-login shell.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is `/sbin/nologin` used for service accounts?
Open an interactive chat with Bash
What are the differences between `/sbin/nologin` and `/bin/false`?
Open an interactive chat with Bash
How does setting a non-login shell improve security?