In the scenario where a Linux system has multiple services running, which of the following actions is the BEST practice to secure the corresponding service accounts?
Changing the default shell of the service accounts to /bin/nologin.
Changing the home directory permissions of service accounts to 700.
Setting a strong, unique password for each service account.
Configuring PAM modules to limit the access times for service accounts.
Setting a strong, unique password for service accounts is essential as it ensures that each service has its distinct access credentials, which can prevent unauthorized access if one service is compromised. Locking service accounts with shell access adds an additional layer of security. Disabling login capabilities entirely for service accounts is the most secure practice because it mitigates the risk of these accounts being used to gain unauthorized system access. While changing the default shell to /bin/false or nologin reduces the functionality of the account for interactive use, it does not prevent the account from executing its service-related tasks. The reason this is the best practice is that it does not rely on password strength or the potential for a password to be compromised, as it altogether disables the ability for the service account to be used for direct logins. Service accounts should not be used for interactive logins, and their purpose is to run the corresponding service. Changing the home directory permissions and using PAM modules are also good security practices, but they do not restrict login capabilities as effectively as setting the shell to nologin.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are service accounts in Linux?
Open an interactive chat with Bash
What does changing the shell to `/bin/nologin` do?
Open an interactive chat with Bash
Why is it important to set strong, unique passwords for service accounts?