GEN000760 - Accounts must be locked upon 35 days of inactivity.

Information

On some systems, accounts with disabled passwords still allow access using rcp, remsh, or rlogin through equivalent remote hosts. All that is required is the remote host name and the user name match an entry in a hosts.equiv file and have a .rhosts file in the user directory. Using a shell called /bin/false or /dev/null (or an equivalent) will add a layered defense.

Non-interactive accounts on the system, such as application accounts, may be documented exceptions.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

All inactive accounts will have /sbin/nologin (or an equivalent), as the default shell in the /etc/passwd file and have the password disabled. Examine the user accounts using the 'last' command. Note the date of last login for each account. If any (other than system and application accounts) exceed 35 days or the maximum number of days set by the site, not to exceed 35 days, then disable the accounts using system-config-users tool. Alternately place a shell field of /sbin/nologin /bin/false or /dev/null in the passwd file entry for the account.

See Also

http://iasecontent.disa.mil/stigs/zip/U_RedHat_5_V1R18_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(3), CAT|II, CCI|CCI-000017, Group-ID|V-918, Rule-ID|SV-37314r2_rule, STIG-ID|GEN000760, Vuln-ID|V-918

Plugin: Unix

Control ID: bab7eb67e1c624fd35e2f9bdda899011488b19b0bf85bcf2473c3e0a2cdf5101