Only Authorized Local User Accounts Exist on Operating System
An XCCDF Rule
Description
Enterprise Application tends to use the server or virtual machine exclusively.
Besides the default operating system user, there should be only authorized local
users required by the installed software groups and applications that exist on
the operating system. The authorized user list can be customized in the refine
value variable var_accounts_authorized_local_users_regex.
OVAL regular expression is used for the user list.
Configure the system so all accounts on the system are assigned to an active system,
application, or user account. Remove accounts that do not support approved system
activities or that allow for a normal user to perform administrative-level actions.
To remove unauthorized system accounts, use the following command:
$ sudo userdel unauthorized_user
Rationale
Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.
- ID
- xccdf_org.ssgproject.content_rule_accounts_authorized_local_users
- Severity
- Medium
- Updated
Remediation - Shell Script
var_accounts_authorized_local_users_regex='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_authorized_local_users_regex" use="legacy"/>'
# never delete the root user
default_os_user="root"
Remediation - Ansible
- name: XCCDF Value var_accounts_authorized_local_users_regex # promote to variable
set_fact:
var_accounts_authorized_local_users_regex: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_authorized_local_users_regex" use="legacy"/>
tags:
- always