- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. An attacker should not be able to log into these accounts.
System accounts are those user accounts with a user ID less than 1000
.
If any system account other than root
, halt
, sync
, shutdown
and nfsnobody
has an unlocked password, disable it with the command:
$ sudo usermod -L account
Disabling authentication for default system accounts makes it more difficult for attackers to make use of them to compromise a system.
The following script can be run on the host to remediate the issue.
#!/bin/bash
readarray -t systemaccounts < <(awk -F: \
'($3 < 1000 && $3 != root && $3 != halt && $3 != sync && $3 != shutdown \
&& $3 != nfsnobody) { print $1 }' /etc/passwd)
for systemaccount in "${systemaccounts[@]}"; do
usermod -L "$systemaccount"
done
The following playbook can be run with Ansible to remediate the issue.
- name: Ensure that System Accounts Are Locked - Get All Local Users From /etc/passwd
ansible.builtin.getent:
database: passwd
split: ':'
tags:
- CCE-80650-5
- NIST-800-53-AC-6
- NIST-800-53-CM-6(a)
- PCI-DSSv4-8.2.2
- low_complexity
- medium_disruption
- medium_severity
- no_password_auth_for_systemaccounts
- no_reboot_needed
- restrict_strategy
- name: Ensure that System Accounts Are Locked - Create local_users Variable From
getent_passwd Facts
ansible.builtin.set_fact:
local_users: '{{ ansible_facts.getent_passwd | dict2items }}'
tags:
- CCE-80650-5
- NIST-800-53-AC-6
- NIST-800-53-CM-6(a)
- PCI-DSSv4-8.2.2
- low_complexity
- medium_disruption
- medium_severity
- no_password_auth_for_systemaccounts
- no_reboot_needed
- restrict_strategy
- name: Ensure that System Accounts Are Locked - Lock System Accounts
ansible.builtin.user:
name: '{{ item.key }}'
password_lock: true
loop: '{{ local_users }}'
when:
- item.value[1]|int < 1000
- item.key not in ['root', 'halt', 'sync', 'shutdown', 'nfsnobody']
tags:
- CCE-80650-5
- NIST-800-53-AC-6
- NIST-800-53-CM-6(a)
- PCI-DSSv4-8.2.2
- low_complexity
- medium_disruption
- medium_severity
- no_password_auth_for_systemaccounts
- no_reboot_needed
- restrict_strategy