Shell for the octavia user should be set to nologin

Bug #1993647 reported by Przemyslaw Hausman
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Octavia Charm
Invalid
Undecided
Unassigned
octavia (Ubuntu)
New
Undecided
Unassigned

Bug Description

By default, the shell for octavia user is set to be /bin/sh:

```
# grep octavia /etc/passwd
octavia:x:116:124::/var/lib/octavia:/bin/sh
```

However, the CIS hardening rule "Ensure system accounts are secured" requires system accounts to be secured and the shell set to nologin.

As a workaround, you can run the following on octavia units:
```
# usermod -s "$(which nologin)" octavia
```

tags: added: cis-hardening
description: updated
Revision history for this message
Felipe Reyes (freyes) wrote :

Adding a task for the 'octavia' deb package since it's the component that creates the user.

Changed in charm-octavia:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.