Ensure that System Accounts Are Locked

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. An attacker should not be able to log into these accounts.

System accounts are those user accounts with a user ID less than 1000. If any system account other than root, halt, sync, shutdown and nfsnobody has an unlocked password, disable it with the command:

$ sudo usermod -L account

Rationale

Disabling authentication for default system accounts makes it more difficult for attackers to make use of them to compromise a system.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

readarray -t systemaccounts < <(awk -F: \
  '($3 < 1000 && $3 != root && $3 != halt && $3 != sync && $3 != shutdown \
  && $3 != nfsnobody) { print $1 }' /etc/passwd)

for systemaccount in "${systemaccounts[@]}"; do
    usermod -L "$systemaccount"
done

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Ensure that System Accounts Are Locked - Get All Local Users From /etc/passwd
  ansible.builtin.getent:
    database: passwd
    split: ':'
  tags:
  - CCE-80650-5
  - NIST-800-53-AC-6
  - NIST-800-53-CM-6(a)
  - PCI-DSSv4-8.2.2
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_password_auth_for_systemaccounts
  - no_reboot_needed
  - restrict_strategy

- name: Ensure that System Accounts Are Locked - Create local_users Variable From
    getent_passwd Facts
  ansible.builtin.set_fact:
    local_users: '{{ ansible_facts.getent_passwd | dict2items }}'
  tags:
  - CCE-80650-5
  - NIST-800-53-AC-6
  - NIST-800-53-CM-6(a)
  - PCI-DSSv4-8.2.2
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_password_auth_for_systemaccounts
  - no_reboot_needed
  - restrict_strategy

- name: Ensure that System Accounts Are Locked - Lock System Accounts
  ansible.builtin.user:
    name: '{{ item.key }}'
    password_lock: true
  loop: '{{ local_users }}'
  when:
  - item.value[1]|int < 1000
  - item.key not in ['root', 'halt', 'sync', 'shutdown', 'nfsnobody']
  tags:
  - CCE-80650-5
  - NIST-800-53-AC-6
  - NIST-800-53-CM-6(a)
  - PCI-DSSv4-8.2.2
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_password_auth_for_systemaccounts
  - no_reboot_needed
  - restrict_strategy