Detections
Analytics

4.12 Lock historical users

Information

Lock OS administrative accounts to further enhance security.

Rationale:

Lock administrative user accounts. Generic OS administrative user accounts are targeted by hackers in an attempt to gain unauthorized access to a server.

Solution

Lock standard accounts using chuser:

ACCOUNTS=daemon,bin,sys,adm,uucp,nobody,lpd,lp,invscout,ipsec,nuucp,sshd
lsuser -a account_locked ${ACCOUNTS} | grep -v account_locked=true | while read account attributes; do
 chuser account_locked=true ${account}
done

Default Value:

N/A

See Also

https://workbench.cisecurity.org/benchmarks/13069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, CSCv7|16.8, CSCv7|16.9

Plugin: Unix

Control ID: afb21d669057482ce5bbd39ee961357179aa25533fc670edaf3838216b879020