This built-in function ensures that each user has a valid shell as defined in /etc/shells.

The /etc/shells file is used by applications such as Sendmail and FTP servers to determine if a shell is valid on the system. While it is not used by the login program, administrators can use this file to define which shells are valid on the system. The invalid_login_shells check can verify that all users in the /etc/passwd file are configured with valid shells as defined in the /etc/shells file.

This avoids unsanctioned practices such as using /sbin/passwd as a shell to let users change their passwords. If you do not want a user to be able to log in, create an invalid shell in /etc/shells (e.g., /nonexistent) and set it for the desired users.

If you have users without a valid shell, define a valid shell for them.



name: "invalid_login_shells"

description: "This check reports user accounts with shells which do not exist or is not listed in /etc/shells."