Do not perform the steps in this section on the root account. Doing so might cause the system to
become inaccessible.

Using /etc/passwd, obtain a listing of all users, their UIDs, and their shells, for instance by running:
# awk -F: ‘{print $1 “:” $3 “:” $7}’ /etc/passwd
Identify the system accounts from this listing. These will primarily be the accounts with UID numbers less
than 500, other than root.
For each identified system account SYSACCT , lock the account:
# usermod -L SYSACCT
and disable its shell:
# usermod -s /sbin/nologin SYSACCT

These are the accounts which are not associated with a human user of the system, but which exist to perform some administrative function. Make it more difficult for an attacker to use these accounts by locking their passwords
and by setting their shells to some non-valid shell. The RHEL5 default non-valid shell is /sbin/nologin, but
any command which will exit with a failure status and disallow execution of any further commands, such as
/bin/false or /dev/null, will work.

Suggested Posts:

Leave a Reply