{"description": "Conventionally, Unix shell accounts are accessed by\nproviding a username and password to a login program, which tests\nthese values for correctness using the <tt>/etc/passwd</tt> and\n<tt>/etc/shadow</tt> files. Password-based login is vulnerable to\nguessing of weak passwords, and to sniffing and man-in-the-middle\nattacks against passwords entered over a network or at an insecure\nconsole. Therefore, mechanisms for accessing accounts by entering\nusernames and passwords should be restricted to those which are\noperationally necessary.", "warnings": [], "requires": [], "conflicts": [], "values": ["var_accounts_authorized_local_users_regex"], "groups": ["account_expiration", "password_expiration", "password_storage", "root_logins"], "rules": ["account_unique_id", "accounts_authorized_local_users", "group_unique_id", "group_unique_name", "no_nologin_in_shells"], "platform": "", "platforms": [], "inherited_platforms": [], "cpe_platform_names": [], "title": "Protect Accounts by Restricting Password-Based Login", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-restrictions/group.yml"}