mediumaccess-controlunverified
Ensure there are no unauthorized local accounts
no-unauthorized-accounts · RHEL ≥ 10 · 1 impl
Description
RHEL 10 must not have unauthorized local interactive user accounts. Because the set of authorized accounts is defined by the ISSO and not derivable from the system, this control requires manual verification: the check lists the local interactive accounts (UID >= 1000) for comparison against the authorized list.
Rationale
Unauthorized accounts may be attacker-created backdoors or orphaned accounts that expand the attack surface. Every interactive account must be traceable to an authorized user.
Check → Remediate
Checkcommand
echo "MANUAL REVIEW REQUIRED: compare the local interactive user accounts below (UID >= 1000) against the list of accounts authorized by the ISSO. Any account not on the authorized list is a finding."
awk -F: '$3 >= 1000 && $3 < 65534 {print " " $1 " (UID " $3 ", shell " $7 ")"}' /etc/passwd 2>/dev/null
exit 0
- expected_exit:
- 0
Remediatemanual
- note:
- Remove or disable any local interactive account that is not on the ISSO-authorized list (userdel -r <user> for a removable account, or lock it if retention is required).
Framework references
STIG
V-281199 / RHEL-10-600450
NIST 800-53
AC-2
#accounts#users#authorization#stig#manual