3.1.3.4 guest

Information

This change locks and disables login access for the guest user account.

Rationale:

This change disables direct local and remote login to the guest user account. Do not set a password on this account to ensure that the only access is via su from the root account.

There should not be a requirement to log in as the guest user directly. All users should be given unique logon ids to ensure traceability and accountability.

Impact:

Historically the guest user account was to provide access to unknown users, i.e., the user identity was not important.

Today the guest account should not be used. The numeric userid is reserved by the OS.

All authorized users should be given specific logon ids to ensure traceability and accountability.

Solution

Change the following user attributes to guest user:

chuser account_locked=true login=false rlogin=false adm

Default Value:

account_locked=false login=true rlogin=true

See Also

https://workbench.cisecurity.org/files/3525

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, CSCv7|4.6

Plugin: Unix

Control ID: 9351167fb58423f7e96a1bddd3e001243ad0139cac254cfc356193e9ed4f1a11