{"description": "Some accounts are not associated with a human user of the system, and exist to perform some\nadministrative functions. An attacker should not be able to log into these accounts.\n<br/><br/>\nSystem accounts are those user accounts with a user ID less than <tt>1000</tt>.\nIf any system account other than <tt>root</tt>, <tt>halt</tt>, <tt>sync</tt>, <tt>shutdown</tt>\nand <tt>nfsnobody</tt> has an unlocked password, disable it with the command:\n<pre>$ sudo usermod -L <i>account</i></pre>", "rationale": "Disabling authentication for default system accounts makes it more difficult for attackers\nto make use of them to compromise a system.", "severity": "medium", "references": {"nerc-cip": ["CIP-003-8 R5.1.1", "CIP-003-8 R5.3", "CIP-004-6 R2.3", "CIP-007-3 R2.1", "CIP-007-3 R2.2", "CIP-007-3 R2.3", "CIP-007-3 R5.1", "CIP-007-3 R5.1.1", "CIP-007-3 R5.1.2"], "nist": ["AC-6", "CM-6(a)"], "pcidss4": ["8.2.2", "8.2"]}, "control_references": {"pcidss4": ["8.2.2", "8.2"]}, "components": [], "identifiers": {}, "ocil_clause": "system accounts are not locked", "ocil": "To obtain a list of all users and the content of their shadow password field, run the command:\n<pre>$ sudo readarray -t systemaccounts < <(awk -F: \\\n    '($3 < 1000 && $3 != root && $3 != halt && $3 != sync && $3 != shutdown \\\n    && $3 != nfsnobody) { print $1 }' /etc/passwd)\n\n    for account in \"${systemaccounts[@]}\"; do\n        awk -v user=\"$account\" -F: '$1~account { print $1 \":\" $2 }' /etc/shadow\n    done</pre>\nVerify if all accounts are locked.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Ensure that System Accounts Are Locked", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_password_auth_for_systemaccounts/rule.yml", "template": null}