All accounts must have a trusted started point - a HOME directory. A missing home directory on many systems places the account in a default directory. Examples include: / and /home/guest This recommendation is specifically about locally administered accounts (in AIX terms, -R files ). If an account exists in the local registry it must have a home directory that is accessible. This is to ensure it is not an invalid account (e.g., restored via a backup accidentally). If a valid account - it still needs a home directory. As the difference between: valid account but missing a HOME directory and invalid account but missing a HOME directory cannot be made by a script - the recommendation is to lock the account.
Solution
Lock local accounts with UID >= 200 when HOME directory does not exist: #!/usr/bin/ksh -e # Provided to CIS by AIXTools # Copyright AIXTools, 2022 lsuser -R files -a id home account_locked ALL | while read name ids homes locks rest; do uid=$(echo ${ids} | cut -f2 -d =) if [[ ${uid} -ge 200 ]]; then home=$(echo ${homes} | cut -f2 -d =) locked=$(echo ${locks} | cut -f2 -d =) if [[ ${locked} == "true" ]]; then continue elif [[ ! -d ${home} ]]; then /usr/bin/printf "Locked Account [%s]: Missing ${HOME} at: %-32s " ${name} ${home} /usr/bin/chuser -R files account_locked=true ${name} fi fi done Impact: A valid user can open a ticket and get a HOME directory created or restored. The risk of an invalid user gaining access via an old username is reduced.