On 12/9/13, 6:17 PM, Steinke, Leland J Sr CTR DISA FSO (US) wrote:
Hi Shawn,
Could the title explicitly say "operating system" accounts, since this is the RHEL6 STIG? Let the application guys worry about their accounts as they conform to the AppServer and App STIGs.
Done. The proposed patch is in the attached file.
Had a chance to read this closer. What's the reason for inclusion? This would step beyond the baseline of even USGCB.
RHEL5 CCE-3987-5: CCE-3987-5 Login access to non-root system accounts should be enabled or disabled as appropriate disabled via /etc/passwd List all users, their UIDs, and their shells by running: # awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd For each identified system account SYSACCT , lock the account: # usermod -L SYSACCT and disable its shell: # usermod -s /sbin/nologin SYSACCT
Maps to RHEL6 CCE-26966-2:
Some accounts are not associated with a human user of the system, and exist to perform some administrative function. Should an attacker be able to log into these accounts, they should not be granted access to a shell.
The login shell for each local account is stored in the last field of each line in|/etc/passwd|. System accounts are those user accounts with a user ID less than 500. The user ID is stored in the third field. If any system account/SYSACCT/(other than root) has a login shell, disable it with the command: # usermod -s /sbin/nologin/SYSACCT/