Default operating system accounts, other than root, must be locked.

From Red Hat Enterprise Linux 6 Security Technical Implementation Guide

Part of SRG-OS-999999

Associated with: CCI-000366

SV-50297r3_rule Default operating system accounts, other than root, must be locked.

Vulnerability discussion

Disabling authentication for default system accounts makes it more difficult for attackers to make use of them to compromise a system.

Check content

To obtain a listing of all users and the contents of their shadow password field, run the command: $ awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 ":" $2}' /etc/shadow Identify the operating system accounts from this listing. These will primarily be the accounts with UID numbers less than 500, other than root. If any default operating system account (other than root) has a valid password hash, this is a finding.

Fix text

Some accounts are not associated with a human user of the system, and exist to perform some administrative function. An attacker should not be able to log into these accounts. Disable logon access to these accounts with the command: # passwd -l [SYSACCT]

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer