---
title: Ensure that System Accounts Are Locked
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Ensure that System Accounts Are Locked
---

# Ensure that System Accounts Are Locked
 
## Description{% #description %}

Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. An attacker should not be able to log into these accounts.

System accounts are those user accounts with a user ID less than `1000`. If any system account other than `root`, `halt`, `sync`, `shutdown` and `nfsnobody` has an unlocked password, disable it with the command:

```
$ sudo usermod -L account
         
```

## Rationale{% #rationale %}

Disabling authentication for default system accounts makes it more difficult for attackers to make use of them to compromise a system.

## Remediation{% #remediation %}

### Shell script{% #shell-script %}

The following script can be run on the host to remediate the issue.

```bash
#!/bin/bash

readarray -t systemaccounts < <(awk -F: \
  '($3 < 1000 && $3 != root && $3 != halt && $3 != sync && $3 != shutdown \
  && $3 != nfsnobody) { print $1 }' /etc/passwd)

for systemaccount in "${systemaccounts[@]}"; do
    usermod -L "$systemaccount"
done
```

### Ansible playbook{% #ansible-playbook %}

The following playbook can be run with Ansible to remediate the issue.

```
- name: Ensure that System Accounts Are Locked - Get All Local Users From /etc/passwd
  ansible.builtin.getent:
    database: passwd
    split: ':'
  tags:
  - CCE-80650-5
  - NIST-800-53-AC-6
  - NIST-800-53-CM-6(a)
  - PCI-DSSv4-8.2.2
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_password_auth_for_systemaccounts
  - no_reboot_needed
  - restrict_strategy

- name: Ensure that System Accounts Are Locked - Create local_users Variable From
    getent_passwd Facts
  ansible.builtin.set_fact:
    local_users: '{{ ansible_facts.getent_passwd | dict2items }}'
  tags:
  - CCE-80650-5
  - NIST-800-53-AC-6
  - NIST-800-53-CM-6(a)
  - PCI-DSSv4-8.2.2
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_password_auth_for_systemaccounts
  - no_reboot_needed
  - restrict_strategy

- name: Ensure that System Accounts Are Locked - Lock System Accounts
  ansible.builtin.user:
    name: '{{ item.key }}'
    password_lock: true
  loop: '{{ local_users }}'
  when:
  - item.value[1]|int < 1000
  - item.key not in ['root', 'halt', 'sync', 'shutdown', 'nfsnobody']
  tags:
  - CCE-80650-5
  - NIST-800-53-AC-6
  - NIST-800-53-CM-6(a)
  - PCI-DSSv4-8.2.2
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_password_auth_for_systemaccounts
  - no_reboot_needed
  - restrict_strategy
```