ComplianceAsCode · Mab879 · Dec 15, 2025 · Dec 12, 2025
@@ -2283,7 +2283,8 @@ controls:
           - l1_server
           - l1_workstation
       status: automated
-      notes: New rule is necessary.
+      rules:
+          - no_invalid_shell_accounts_unlocked
 
     - id: 5.4.3.1
       title: Ensure nologin is not listed in /etc/shells (Automated)

diff --git a/...em/accounts/accounts-restrictions/root_logins/no_invalid_shell_accounts_unlocked/rule.yml b/...em/accounts/accounts-restrictions/root_logins/no_invalid_shell_accounts_unlocked/rule.yml
@@ -15,6 +15,8 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel9: CCE-86746-5
+    cce@rhel10: CCE-86751-5
     cce@sle15: CCE-92591-7
 
 warnings:

@@ -1,5 +1,5 @@
 #!/bin/bash
 
-echo "testuser:*:1001:1001::/home/testuser:/bin/bash" > /etc/passwd
-echo "testuser:!:20111:0:99999:7:::" > /etc/shadow
+echo "newuser:*:1001:1001::/home/newuser:/bin/bash" >> /etc/passwd
+echo "newuser:!:20111:0:99999:7:::" >> /etc/shadow
 echo "/bin/bash" >> /etc/shells
@@ -1,5 +1,5 @@
 #!/bin/bash
 # remediation = none
 
-echo "testuser:x:8000:8000:testuser:/home/testuser:/bin/dash" > /etc/passwd
-echo "/bin/bash" > /etc/shells
+echo "newuser:x:8000:8000:newuser:/home/newuser:/bin/invalid_shell" >> /etc/passwd
+echo "/bin/someothershell" > /etc/shells
@@ -2212,10 +2212,9 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: pending
-      notes: |-
-          Introduced in CIS RHEL9 v2.0.0.
-          New rule is necessary.
+      status: automated
+      rules:
+          - no_invalid_shell_accounts_unlocked
 
     - id: 5.4.3.1
       title: Ensure nologin is not listed in /etc/shells (Automated)

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -77,8 +77,6 @@ CCE-86734-1
 CCE-86742-4
 CCE-86743-2
 CCE-86745-7
-CCE-86746-5
-CCE-86751-5
 CCE-86752-3
 CCE-86773-9
 CCE-86774-7

@@ -312,6 +312,7 @@ no_empty_passwords_etc_shadow
 no_files_or_dirs_ungroupowned
 no_files_or_dirs_unowned_by_user
 no_forward_files
+no_invalid_shell_accounts_unlocked
 no_netrc_files
 no_nologin_in_shells
 no_password_auth_for_systemaccounts

@@ -219,6 +219,7 @@ no_empty_passwords_etc_shadow
 no_files_or_dirs_ungroupowned
 no_files_or_dirs_unowned_by_user
 no_forward_files
+no_invalid_shell_accounts_unlocked
 no_netrc_files
 no_password_auth_for_systemaccounts
 no_rhost_files

@@ -215,6 +215,7 @@ no_empty_passwords_etc_shadow
 no_files_or_dirs_ungroupowned
 no_files_or_dirs_unowned_by_user
 no_forward_files
+no_invalid_shell_accounts_unlocked
 no_netrc_files
 no_password_auth_for_systemaccounts
 no_rhost_files

@@ -312,6 +312,7 @@ no_empty_passwords_etc_shadow
 no_files_or_dirs_ungroupowned
 no_files_or_dirs_unowned_by_user
 no_forward_files
+no_invalid_shell_accounts_unlocked
 no_netrc_files
 no_nologin_in_shells
 no_password_auth_for_systemaccounts

@@ -279,6 +279,7 @@ no_empty_passwords
 no_empty_passwords_etc_shadow
 no_files_unowned_by_user
 no_forward_files
+no_invalid_shell_accounts_unlocked
 no_netrc_files
 no_password_auth_for_systemaccounts
 no_rsh_trust_files

@@ -190,6 +190,7 @@ no_empty_passwords
 no_empty_passwords_etc_shadow
 no_files_unowned_by_user
 no_forward_files
+no_invalid_shell_accounts_unlocked
 no_netrc_files
 no_password_auth_for_systemaccounts
 no_rsh_trust_files

@@ -187,6 +187,7 @@ no_empty_passwords
 no_empty_passwords_etc_shadow
 no_files_unowned_by_user
 no_forward_files
+no_invalid_shell_accounts_unlocked
 no_netrc_files
 no_password_auth_for_systemaccounts
 no_rsh_trust_files

@@ -279,6 +279,7 @@ no_empty_passwords
 no_empty_passwords_etc_shadow
 no_files_unowned_by_user
 no_forward_files
+no_invalid_shell_accounts_unlocked
 no_netrc_files
 no_password_auth_for_systemaccounts
 no_rsh_trust_files