Set All Accounts Below UID 1000 to Nologin

What the system account login disabler does

This Automox Worklet™ secures system accounts on Linux endpoints by preventing interactive logins. The Worklet processes all accounts in /etc/passwd with UIDs below 1000, which are typically reserved for system and service accounts rather than human users.

For each qualifying account (except root, halt, sync, and shutdown), the Worklet uses usermod to lock the account (-L flag) and set the login shell to /sbin/nologin (-s flag). This double protection prevents both password and SSH key authentication to these accounts.

Why disable system account logins

System accounts like daemon, bin, sys, mail, and games exist for service isolation, not interactive use. When these accounts have functional shells and unlocked passwords, they become targets for privilege escalation attacks.

Attackers who compromise a service running as a system account look for ways to escalate to interactive access. If the service account has a valid shell, the attacker can potentially spawn shells, run additional commands, or pivot through the network.

CIS Benchmarks recommend setting all system accounts to nologin shells. This Worklet automates that recommendation across your fleet. The root account is preserved because administrative access requires it, and halt, sync, and shutdown are preserved for system operations.

How system account lockdown works

1. Evaluation phase: Always triggers remediation (exit 1) to apply the configuration. This is a run-once hardening action.

2. Remediation phase: Parses /etc/passwd using awk to find accounts with UID less than 1000. For each account (excluding root), runs usermod -L to lock the account. For accounts other than root, halt, sync, and shutdown, also runs usermod -s /sbin/nologin to disable the login shell.

System account hardening requirements

• Linux endpoints with standard /etc/passwd structure

• Root privileges for the Automox agent

• /sbin/nologin must exist on the endpoint

• Review services running as system accounts to verify they do not require interactive shells

• Compatible with workstations and servers

Expected system account state

After remediation, all system accounts with UIDs below 1000 (except root, halt, sync, shutdown) are locked and have /sbin/nologin as their shell. Verify by running grep -E '^[^:]+:[^:]+:[0-9]{1,3}:' /etc/passwd to view accounts and their shells.

Services running as these accounts continue to function because services do not require interactive shells. Direct SSH or console login as system accounts returns a nologin message. The root account remains fully functional for administrative tasks.

How to validate set all accounts below uid 1000 to nologin changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for set all accounts below uid 1000 to nologin.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit.

4. Validate remediation effects from script operations such as awk, /usr/sbin/usermod, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for set all accounts below uid 1000 to nologin. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit and remediation operations such as awk, /usr/sbin/usermod. Use these indicators to verify that endpoint changes match intended policy outcomes.