4.5.2.3 Ensure system accounts are secured

Information

There are a number of accounts provided with most distributions that are used to manage applications and are not intended to provide an interactive shell. Furthermore, a user may add special accounts that are not intended to provide an interactive shell.

It is important to make sure that accounts that are not being used by regular users are prevented from being used to provide an interactive shell. By default, most distributions set the password field for these accounts to an invalid string, but it is also recommended that the shell field in the password file be set to the nologin shell. This prevents the account from potentially being used to run any commands.

Solution

System accounts

Set the shell for any accounts returned by the audit to nologin :

# usermod -s $(command -v nologin) <user>

Disabled accounts

Lock any non root accounts returned by the audit:

# usermod -L <user>

Large scale changes

The following command will set all system accounts to nologin :

# awk -F: '($1!~/^(root|halt|sync|shutdown|nfsnobody)$/ &amp;&amp; ($3<'"$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)"' || $3 == 65534)) { print $1 }' /etc/passwd | while read user; do usermod -s $(command -v nologin) $user >/dev/null; done

The following command will automatically lock all accounts that have their shell set to nologin :

# awk -F: '/nologin/ {print $1}' /etc/passwd | while read user; do usermod -L $user; done

See Also

https://workbench.cisecurity.org/benchmarks/15963

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: f8a9bf45122343413a9156e9047ff1754cfcb7008c1ea5e9959ecdf65ab31800