Detections
Analytics

3.13 Lock historical users

Information

Lock OS administrative accounts to further enhance security.

Rationale:

Lock administrative user accounts. Generic OS administrative user accounts are targeted by hackers in an attempt to gain unauthorized access to a server.

Solution

Lock standard accounts using chuser:

ACCOUNTS=daemon,bin,sys,adm,uucp,nobody,lpd,lp,invscout,ipsec,nuucp,sshd
lsuser -a account_locked ${ACCOUNTS} | grep -v account_locked=true | while read account attributes; do
 chuser account_locked=true ${account}
done

Default Value:

N/A

See Also

https://workbench.cisecurity.org/files/4119

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, CSCv7|16.8

Plugin: Unix

Control ID: 10f68160f91ae9335afc5fe000eb9f399db8f7690953de02b3420ae9f2eebf97