1

I am using pwck for the first time with Lynis 3.0.7 on Ubuntu 20.04 server and I have some strange output. I hope someone might help me interpret what I am seeing. enter image description here

I am working on freshly installed, clean systems, that I "trust" (for now) to be clean. I don't understand the "invalid password file entry" response and how to correct it. Obviously, I am checking the passwd and shadow files. Why is it showing legitimate entries as invalid?

Glorfindel
  • 815
  • 2
  • 10
  • 19
Time-Bandit
  • 202

1 Answers1

3

The invalid entries aren’t legitimate: they have two login shells. For example,

sync:*:4:65534:sync:/bin:/bin/sync:/usr/sbin/nologin

should only have

sync:*:4:65534:sync:/bin:/bin/sync

All your invalid entries have an extra :/usr/bin/nologin appended. In most cases, if you were to follow the advice in the guide you’re reading, you’d actually replace the last entry:

clamav:x:109:109::/var/lib/clamav:/usr/sbin/nologin

However, for entries already using /bin/false, this makes no practical difference in terms of security; see What's the difference between /sbin/nologin and /bin/false for details.

Your analysis of /etc/shadow fails because pwck expects the first file given to it to be a passwd file, not a shadow file. To analyse a shadow file, you need to provide the corresponding passwd file simultaneously:

pwck -r /etc/passwd /etc/shadow

(This replaces both your commands to analyse /etc/passwd and /etc/shadow in one go.)

Stephen Kitt
  • 434,908
  • Thank you for the feedback.. you turned on a light for me. The "/usr/sbin/nologin" part came from server hardening guide and is used to prevent a system account from being used to get an interactive shell, https://linoxide.com/ultimate-guide-secure-ubuntu/ – Time-Bandit Mar 01 '22 at 10:31
  • Right, please don’t blindly follow hardening guides. – Stephen Kitt Mar 01 '22 at 10:35
  • 1
    In fact that “hardening” guide is really bad :-(. – Stephen Kitt Mar 01 '22 at 10:38
  • I don't intend to blindly follow anything, but as a relatively inexperienced user, it is difficult to know which guide is good and which guide isn't. In a different forum they loved the guide. Do you have a guide that you would recommend. I tend to compare and contrast and pick strategies that seem logical and applicable to my needs. – Time-Bandit Mar 01 '22 at 11:45
  • @yupthatguy my point is that when you see instructions like “append /usr/sbin/nologin at the end of each system accounts in /etc/passwd”, I think it’s important to understand what that does — and hopefully realise that it should say “replace the last field ...”. I know that it’s really difficult to evaluate what constitutes a good security guide, or even to evaluate whether a recommendation one way or another is valid. I’m afraid I don’t have much fondness for security guides in general, so I don’t have any to recommend. – Stephen Kitt Mar 01 '22 at 12:53
  • While I highly appreciate the feedback. I think its practical in general to be aware that people just learning about linux security without formal training are not going to miraculously "realize" that something they have never seen before is right or wring or subtly worded incorrectly. "New" is not the same as "foolish". Learning is a mistake ridden process and forums like these are part how new users learn. Would you mind adding what the correct use of /usr/sbin/nologin should look like so if others make the same mistake following that guide? – Time-Bandit Mar 01 '22 at 13:27
  • I don’t expect people to realise anything magically; I would like people to understand that security is very context-specific and always a matter of compromise, and it’s important to evaluate what those compromises are. Security guides which purport to give a series of one-size-fits-all hardening recipes without explaining those compromises end up being misleading at best. Ultimately that means that if you don’t understand what a security guide is trying to get you to do (and that doesn’t mean you’re foolish, at all), you might want to find out more about it. – Stephen Kitt Mar 01 '22 at 13:55
  • And yes, asking questions on a site such as this one is fine, that’s what they’re here for. It would be better to do so before applying hardening recommendations ;-). It would also be better to avoid claiming that “[you are] working on freshly installed, clean systems” when you’ve modified them. – Stephen Kitt Mar 01 '22 at 13:57
  • Above all, I don’t blame people trying to secure their systems; I blame authors of security guides and our general inability to produce systems that are secure by default. – Stephen Kitt Mar 01 '22 at 14:18