Check: GEN000760
AIX 6.1 SECURITY TECHNICAL IMPLEMENTATION GUIDE:
GEN000760
(in versions v1 r14 through v1 r10)
Title
Accounts must be locked upon 35 days of inactivity. (Cat II impact)
Discussion
On some systems, accounts with disabled passwords still allow access using rcp, remsh, or rlogin through equivalent remote hosts. All that is required is the remote host name and the user name match an entry in a hosts.equiv file and have a .rhosts file in the user directory. Using a shell called /bin/false or /dev/null (or an equivalent) will add a layered defense. Non-interactive accounts on the system, such as application accounts, may be documented exceptions.
Check Content
Indications of inactive accounts are those without entries in the last log. Check the date in the last log to verify it is within the last 35 days. If an inactive account is not disabled via an invalid login shell /bin/false entry in the shell field of the /etc/passwd file or account_locked = true in /etc/security/user file, this is a finding.
Fix Text
All inactive accounts will have /bin/false, /usr/bin/false, or /dev/null as the default shell in the /etc/passwd file and have the password disabled. Disable the inactive accounts. Examine the inactive accounts using the last command. Note the date of last login for each account. If any (other than system and application accounts) exceed 35 days, then disable them by placing a shell of /bin/false or /dev/null in the shell field of the passwd file entry for that account. An alternative, and preferable method, is to disable the account using SMIT or the chsec command. Change the accounts login shell. #chsh <account> /bin/false Lock the account in /etc/security/user file. #chuser account_locked=true < user id > OR # smitty chuser
Additional Identifiers
Rule ID: SV-38840r1_rule
Vulnerability ID: V-918
Group Title: GEN000760
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000017 |
The information system automatically disables inactive accounts after an organization-defined time period. |
Controls
Number | Title |
---|---|
AC-2 (3) |
Disable Inactive Accounts |