Ensure that System Accounts Are Locked

Docs > Datadog Security > OOTB Rules > Ensure that System Accounts Are Locked

Classification:

compliance

Framework:

Control:

Description

Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. An attacker should not be able to log into these accounts.

System accounts are those user accounts with a user ID less than 1000. If any system account other than root, halt, sync, shutdown and nfsnobody has an unlocked password, disable it with the command:

$ sudo usermod -L *account*

Rationale

Disabling authentication for default system accounts makes it more difficult for attackers to make use of them to compromise a system.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

readarray -t systemaccounts < <(awk -F: \
 '($3 < 1000 && $3 != root && $3 != halt && $3 != sync && $3 != shutdown \
 && $3 != nfsnobody) { print $1 }' /etc/passwd)

for systemaccount in "${systemaccounts[@]}"; do
 usermod -L "$systemaccount"
done

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Ensure that System Accounts Are Locked - Get All Local Users From /etc/passwd
 ansible.builtin.getent:
 database: passwd
 split: ':'
 tags:
 - CCE-86112-0
 - NIST-800-53-AC-6
 - NIST-800-53-CM-6(a)
 - low\_complexity
 - medium\_disruption
 - medium\_severity
 - no\_password\_auth\_for\_systemaccounts
 - no\_reboot\_needed
 - restrict\_strategy

- name: Ensure that System Accounts Are Locked - Create local\_users Variable From
 getent\_passwd Facts
 ansible.builtin.set\_fact:
 local\_users: '{{ ansible\_facts.getent\_passwd | dict2items }}'
 tags:
 - CCE-86112-0
 - NIST-800-53-AC-6
 - NIST-800-53-CM-6(a)
 - low\_complexity
 - medium\_disruption
 - medium\_severity
 - no\_password\_auth\_for\_systemaccounts
 - no\_reboot\_needed
 - restrict\_strategy

- name: Ensure that System Accounts Are Locked - Lock System Accounts
 ansible.builtin.user:
 name: '{{ item.key }}'
 password\_lock: true
 loop: '{{ local\_users }}'
 when:
 - item.value[1]|int < 1000
 - item.key not in ['root', 'halt', 'sync', 'shutdown', 'nfsnobody']
 tags:
 - CCE-86112-0
 - NIST-800-53-AC-6
 - NIST-800-53-CM-6(a)
 - low\_complexity
 - medium\_disruption
 - medium\_severity
 - no\_password\_auth\_for\_systemaccounts
 - no\_reboot\_needed
 - restrict\_strategy