- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. Should an attacker be able to log into these accounts, they should not be granted access to a shell.
The login shell for each local account is stored in the last field of each line in
/etc/passwd
. System accounts are those user accounts with a user ID less than
1000
. The user ID is stored in the third field. If any system account
other than root
has a login shell, disable it with the command:
$ sudo usermod -s /sbin/nologin account
Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts.
The following script can be run on the host to remediate the issue.
#!/bin/bash
readarray -t systemaccounts < <(awk -F: '($3 < 1000 && $3 != root \
&& $7 != "\/sbin\/shutdown" && $7 != "\/sbin\/halt" && $7 != "\/bin\/sync") \
{ print $1 }' /etc/passwd)
for systemaccount in "${systemaccounts[@]}"; do
usermod -s /sbin/nologin "$systemaccount"
done
The following playbook can be run with Ansible to remediate the issue.
- name: Ensure that System Accounts Do Not Run a Shell Upon Login - Get All Local
Users From /etc/passwd
ansible.builtin.getent:
database: passwd
split: ':'
tags:
- NIST-800-53-AC-6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- PCI-DSSv4-8.2.2
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- no_shelllogin_for_systemaccounts
- restrict_strategy
- name: Ensure that System Accounts Do Not Run a Shell Upon Login - Create local_users
Variable From getent_passwd Facts
ansible.builtin.set_fact:
local_users: '{{ ansible_facts.getent_passwd | dict2items }}'
tags:
- NIST-800-53-AC-6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- PCI-DSSv4-8.2.2
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- no_shelllogin_for_systemaccounts
- restrict_strategy
- name: Ensure that System Accounts Do Not Run a Shell Upon Login - Disable Login
Shell for System Accounts
ansible.builtin.user:
name: '{{ item.key }}'
shell: /sbin/nologin
loop: '{{ local_users }}'
when:
- item.key not in ['root']
- item.value[1]|int < 1000
- item.value[5] not in ['/sbin/shutdown', '/sbin/halt', '/bin/sync']
tags:
- NIST-800-53-AC-6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- PCI-DSSv4-8.2.2
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- no_shelllogin_for_systemaccounts
- restrict_strategy
Do not perform the steps in this section on the root account. Doing so might cause the system to become inaccessible.