Accounts must be locked upon 35 days of inactivity.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-918	GEN000760	SV-44882r1_rule		Medium

Description
On some systems, accounts with disabled passwords still allow access using rcp, remsh, or rlogin through equivalent remote hosts. All that is required is the remote host name and the user name match an entry in a hosts.equiv file and have a .rhosts file in the user directory. Using a shell called /bin/false or /dev/null (or an equivalent) will add a layered defense. Non-interactive accounts on the system, such as application accounts, may be documented exceptions.

Description

On some systems, accounts with disabled passwords still allow access using rcp, remsh, or rlogin through equivalent remote hosts. All that is required is the remote host name and the user name match an entry in a hosts.equiv file and have a .rhosts file in the user directory. Using a shell called /bin/false or /dev/null (or an equivalent) will add a layered defense. Non-interactive accounts on the system, such as application accounts, may be documented exceptions.

STIG	Date
SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide	2018-09-19

Details

Check Text ( C-42336r2_chk )
Indications of inactive accounts are those that have no entries in the last log. Check the date in the last log to verify it is within the last 35 days or the maximum number of days set by the site if more restrictive. If an inactive account is not disabled via an entry in the password field in the /etc/passwd or /etc/shadow (or equivalent), check the /etc/passwd file to check if the account has a valid shell. If an inactive account is found not disabled, this is a finding. Procedure: Obtain a list of all active(not locked) accounts: # for ACCT in $(cut -d: -f1 /etc/passwd) do if [ "$(passwd -S ${ACCT}\| awk '{print $2}')" != "LK" ] then lastlog -u ${ACCT} \| awk '{ if(NR>1) printf "%-23s %3s %2s %4s\n", $1, $4, $5, $8}' fi done Obtain a list of all accounts that have logged in during the past 35 days: # lastlog -t 35 \| awk '{if(NR>1) printf "%-23s %3s %2s %4s\n", $1, $4, $5, $8}’ Compare the results of the two commands. Any account listed by the first command that is not also listed by the second command has been inactive for 35 days.

Check Text ( C-42336r2_chk )

Indications of inactive accounts are those that have no entries in the last log. Check the date in the last log to verify it is within the last 35 days or the maximum number of days set by the site if more restrictive. If an inactive account is not disabled via an entry in the password field in the /etc/passwd or /etc/shadow (or equivalent), check the /etc/passwd file to check if the account has a valid shell. If an inactive account is found not disabled, this is a finding.

Procedure:
Obtain a list of all active(not locked) accounts:
# for ACCT in $(cut -d: -f1 /etc/passwd)
do
if [ "$(passwd -S ${ACCT}| awk '{print $2}')" != "LK" ]
then
lastlog -u ${ACCT} |
awk '{ if(NR>1) printf "%-23s %3s %2s %4s\n", $1, $4, $5, $8}'
fi
done

Obtain a list of all accounts that have logged in during the past 35 days:
# lastlog -t 35 | awk '{if(NR>1) printf "%-23s %3s %2s %4s\n", $1, $4, $5, $8}’

Compare the results of the two commands. Any account listed by the first command that is not also listed by the second command has been inactive for 35 days.

Fix Text (F-38314r1_fix)
All inactive accounts that have not been documented as exceptions will have /bin/false or /sbin/nologin as the default shell in the /etc/passwd file and have the password locked. Examine the user accounts using the lastlog command. Note the date of last login for each account. If any (other than system and application accounts) exceed 35 days or the maximum number of days set by the site, not to exceed 35 days, then lock the account and place a shell field of /bin/false or /sbin/nologin in the passwd file entry for the account. Procedure: # passwd -l # chsh -s /bin/false

Fix Text (F-38314r1_fix)

All inactive accounts that have not been documented as exceptions will have /bin/false or /sbin/nologin as the default shell in the /etc/passwd file and have the password locked. Examine the user accounts using the lastlog command. Note the date of last login for each account. If any (other than system and application accounts) exceed 35 days or the maximum number of days set by the site, not to exceed 35 days, then lock the account and place a shell field of /bin/false or /sbin/nologin in the passwd file entry for the account.
Procedure:
# passwd -l
# chsh -s /bin/false