Accounts must be locked upon 35 days of inactivity.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-918	GEN000760	SV-38500r1_rule	IAAC-1	Medium

Description
On some systems, accounts with disabled passwords still allow access using rcp, remsh, or rlogin through equivalent remote hosts. All that is required is the remote host name and the user name to match an entry in a hosts.equiv file and have an .rhosts file in the user directory. Using a shell called /bin/false or /dev/null (or an equivalent) will add a layered defense. Non-interactive accounts on the system, such as application accounts, may be documented exceptions. Non-interactive accounts on the system, such as application accounts, may be documented exceptions.

Description

On some systems, accounts with disabled passwords still allow access using rcp, remsh, or rlogin through equivalent remote hosts. All that is required is the remote host name and the user name to match an entry in a hosts.equiv file and have an .rhosts file in the user directory. Using a shell called /bin/false or /dev/null (or an equivalent) will add a layered defense. Non-interactive accounts on the system, such as application accounts, may be documented exceptions. Non-interactive accounts on the system, such as application accounts, may be documented exceptions.

STIG	Date
HP-UX 11.31 Security Technical Implementation Guide	2013-06-27

Details

Check Text ( C-36270r2_chk )
Indications of inactive accounts are those that have no entries in the "last" log. Check the date in the "last" log to verify it is within the last 35 days or the maximum numbers of days set by the site if more restrictive. If an inactive account is not disabled via an entry in the password field in the /etc/passwd file (or equivalent), check the /etc/passwd file to determine if the account has a valid shell. The passwd command can also be used to list a status for an account. For example, the following may be used to provide status information on each local account: # cat /etc/passwd \| cut -f1,1 -d ":" \| xargs -n1 passwd -s Then, determine what shell is assigned to the account. # cat /etc/passwd \| cut -f7,7 -d ":" If an inactive account is found with a valid shell, this is a finding.

Check Text ( C-36270r2_chk )

Indications of inactive accounts are those that have no entries in the "last" log. Check the date in the "last" log to verify it is within the last 35 days or the maximum numbers of days set by the site if more restrictive. If an inactive account is not disabled via an entry in the password field in the /etc/passwd file (or equivalent), check the /etc/passwd file to determine if the account has a valid shell.

The passwd command can also be used to list a status for an account. For example, the following may be used to provide status information
on each local account:
# cat /etc/passwd | cut -f1,1 -d ":" | xargs -n1 passwd -s

Then, determine what shell is assigned to the account.
# cat /etc/passwd | cut -f7,7 -d ":"

If an inactive account is found with a valid shell, this is a finding.

Fix Text (F-31527r2_fix)
All inactive accounts will have /bin/false, or /dev/null as the default shell in the /etc/passwd file and have the password disabled. Disable the inactive accounts. Examine the inactive accounts using the last command. Note the date of last login for each account. If any (other than system and application accounts) exceed 35 days, then disable them by placing a shell of /bin/false or /dev/null in the shell field of the /etc/passwd file entry for that account. An alternative method is to disable the account using the HP-SMH.

Fix Text (F-31527r2_fix)

All inactive accounts will have /bin/false, or /dev/null as the default shell in the /etc/passwd file and have the password disabled. Disable the inactive accounts. Examine the inactive accounts using the last command. Note the date of last login for each account. If any (other than system and application accounts) exceed 35 days, then disable them by placing a shell of /bin/false or /dev/null in the shell field of the /etc/passwd file entry for that account. An alternative method is to disable the account using the HP-SMH.