← Rules Catalog
mediumaccess-controlunverified

Ensure there are no unauthorized local accounts

no-unauthorized-accounts · RHEL ≥ 10 · 1 impl

Description

RHEL 10 must not have unauthorized local interactive user accounts. Because the set of authorized accounts is defined by the ISSO and not derivable from the system, this control requires manual verification: the check lists the local interactive accounts (UID >= 1000) for comparison against the authorized list.

Rationale

Unauthorized accounts may be attacker-created backdoors or orphaned accounts that expand the attack surface. Every interactive account must be traceable to an authorized user.

Check → Remediate

Checkcommand
echo "MANUAL REVIEW REQUIRED: compare the local interactive user accounts below (UID >= 1000) against the list of accounts authorized by the ISSO. Any account not on the authorized list is a finding."
awk -F: '$3 >= 1000 && $3 < 65534 {print "  " $1 " (UID " $3 ", shell " $7 ")"}' /etc/passwd 2>/dev/null
exit 0
expected_exit:
0
Remediatemanual
note:
Remove or disable any local interactive account that is not on the ISSO-authorized list (userdel -r <user> for a removable account, or lock it if retention is required).

Framework references

STIG

V-281199 / RHEL-10-600450

NIST 800-53

AC-2
#accounts#users#authorization#stig#manual