Ensure that System Accounts Are Locked
An XCCDF Rule
Description
Some accounts are not associated with a human user of the system, and exist to perform some
administrative functions. An attacker should not be able to log into these accounts.
System accounts are those user accounts with a user ID less than 1000
.
If any system account other than root
, halt
, sync
, shutdown
and nfsnobody
has an unlocked password, disable it with the command:
$ sudo usermod -L account
Rationale
Disabling authentication for default system accounts makes it more difficult for attackers to make use of them to compromise a system.
- ID
- xccdf_org.ssgproject.content_rule_no_password_auth_for_systemaccounts
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
readarray -t systemaccounts < <(awk -F: \
'($3 < 1000 && $3 != root && $3 != halt && $3 != sync && $3 != shutdown \
&& $3 != nfsnobody) { print $1 }' /etc/passwd)
for systemaccount in "${systemaccounts[@]}"; do
Remediation - Ansible
- name: Ensure that System Accounts Are Locked - Get All Local Users From /etc/passwd
ansible.builtin.getent:
database: passwd
split: ':'
tags:
- NIST-800-53-AC-6