There seems to be some debate on this, but I think /dev/null should be a valid setting for system accounts
diff --git a/shared/oval/no_shelllogin_for_systemaccounts.xml b/shared/oval/no_shelllogin_for_systemaccounts.xml index d38e4bb..aeda9d5 100644 --- a/shared/oval/no_shelllogin_for_systemaccounts.xml +++ b/shared/oval/no_shelllogin_for_systemaccounts.xml @@ -18,7 +18,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="object_no_shelllogin_for_systemaccounts" version="1"> ind:filepath/etc/passwd</ind:filepath> - <ind:pattern operation="pattern match">^(?!root).*:x:[\d]*:0*([0-9]{1,2}|[1-4][0-9]{2}):[^:]*:[^:]*:(?!/sbin/nologin|/bin/sync|/sbin/shutdown|/sbin/halt).*$</ind:pattern> + <ind:pattern operation="pattern match">^(?!root).*:x:[\d]*:0*([0-9]{1,2}|[1-4][0-9]{2}):[^:]*:[^:]*:(?!/sbin/nologin|/bin/sync|/sbin/shutdown|/sbin/halt|/dev/null).*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group>