9.4 Verify System Account Default Passwords

Information

There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell. These accounts are delivered either in a locked or non-login state. Oracle does not support nor recommend changing the passwords associated with these accounts.

Rationale:

System accounts, such as bin, lpd, and sys have special purposes and privileges. By default, these accounts are configured as either locked or non-login. This status should be verified to ensure that these accounts have not accidentally or intentionally been enabled.

Solution

To lock a single account, use the command:

# passwd -d [username]

# passwd -l <em>[username]

To configure a single account to be non-login, use the command:

# passwd -d [username]

# passwd -N <em>[username]

See Also

https://workbench.cisecurity.org/benchmarks/4777

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(3), CSCv7|16.8

Plugin: Unix

Control ID: 92e494a8eb81e4d65c0a448a191de6a2e3fb2775014c87708e832431fb9f742b