Detections
Analytics

5.5.2.8 Ensure accounts without a valid login shell are locked

Information

There are a number of accounts provided with most distributions that are used to manage applications. Additionally, a administrator may add special accounts that are not intended for interactive use.

It is important to make sure that accounts that are not intended for interactive use are prevented from being used interactively. By default, most distributions set the password field for these accounts to an invalid string, but it is also recommended that these accounts are locked. This prevents these accounts from potentially being used to run any commands.

Solution

Run the following command to lock any non-root accounts without a valid login shell returned by the audit:

# usermod -L <user>

Example script: :

#!/usr/bin/env bash

{
 l_valid_shells="^($(awk -F\/ '($NF != "nologin" && $NF != "false") {print}' /etc/shells | sed -rn '/^\//{s,/,\\\\/,g;p}' | paste -s -d '|' - ))$"
 while IFS= read -r l_user; do
 passwd -S "$l_user" | awk '$2 !~ /^L/ {system ("usermod -L " $1)}'
 done < <(awk -v pat="$l_valid_shells" -F: '($1 != "root" && $(NF) !~ pat) {print $1}' /etc/passwd)
}

See Also

https://workbench.cisecurity.org/benchmarks/25279

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-2(5), 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|AC-11, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 5449d13c339f4a084f7c59488a341992b3de44f8f83b30592d08613bd26009bb