UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Default operating system accounts, other than root, must be locked.


Overview

Finding ID Version Rule ID IA Controls Severity
V-38496 RHEL-06-000029 SV-50297r3_rule Medium
Description
Disabling authentication for default system accounts makes it more difficult for attackers to make use of them to compromise a system.
STIG Date
Red Hat Enterprise Linux 6 Security Technical Implementation Guide 2016-06-05

Details

Check Text ( C-46052r2_chk )
To obtain a listing of all users and the contents of their shadow password field, run the command:

$ awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 ":" $2}' /etc/shadow

Identify the operating system accounts from this listing. These will primarily be the accounts with UID numbers less than 500, other than root.

If any default operating system account (other than root) has a valid password hash, this is a finding.
Fix Text (F-43442r2_fix)
Some accounts are not associated with a human user of the system, and exist to perform some administrative function. An attacker should not be able to log into these accounts.

Disable logon access to these accounts with the command:

# passwd -l [SYSACCT]