Skip to content

Ensure that System Accounts Are Locked

An XCCDF Rule

Description

Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. An attacker should not be able to log into these accounts.

System accounts are those user accounts with a user ID less than 1000. If any system account other than root, halt, sync, shutdown and nfsnobody has an unlocked password, disable it with the command:

$ sudo usermod -L account

Rationale

Disabling authentication for default system accounts makes it more difficult for attackers to make use of them to compromise a system.

ID
xccdf_org.ssgproject.content_rule_no_password_auth_for_systemaccounts
Severity
Medium
References
Updated



Remediation - Shell Script


readarray -t systemaccounts < <(awk -F: \
  '($3 < 1000 && $3 != root && $3 != halt && $3 != sync && $3 != shutdown \
  && $3 != nfsnobody) { print $1 }' /etc/passwd)

for systemaccount in "${systemaccounts[@]}"; do

Remediation - Ansible

- name: Ensure that System Accounts Are Locked - Get All Local Users From /etc/passwd
  ansible.builtin.getent:
    database: passwd
    split: ':'
  tags:
  - NIST-800-53-AC-6