GEN003320 - System accounts must not be listed in at.allow or must be included in at.deny - 'mail' - at.deny

Information

Default accounts, such as bin, sys, adm, uucp, daemon, and others, should never have access to the 'at' facility. This would create a possible vulnerability open to intruders or malicious users.

Solution

Remove the default accounts (such as bin, sys, adm, and others, traditionally UID less than 500) from the at.allow file.

See Also

http://iasecontent.disa.mil/stigs/zip/U_RedHat_5_V1R18_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CAT|II, CCI|CCI-000225, Group-ID|V-986, Rule-ID|SV-37517r1_rule, STIG-ID|GEN003320, Vuln-ID|V-986

Plugin: Unix

Control ID: 2ffa07ea4fe1e58d65d375f13e7f9f7df6bfa6e2f934382ebc87865f0bb707ec