Checking for Unlocked Accounts

Checking for Unlocked Accounts

It is important that all system and vendor accounts that are not used for logins are locked.

To get a list of unlocked accounts on your system, you can check for accounts that do NOT have an encrypted password string starting with “!” or “*” in the /etc/shadow file. If you lock an account using passwd -l, it will put a ‘!!’ in front of the encrypted password, effectively disabling the password.

If you lock an account using usermod -L, it will put a ‘!’ in front of the encrypted password. Many system and shared accounts are usually locked by default by having a ‘*’ or ‘!!’ in the password field which renders the encrypted password into an invalid string.

~$ sudo egrep -v ‘.*:\*|:\!’ /etc/shadow | awk -F: ‘{print $1}’
root
buddies
nagios

Also make sure all accounts have a ‘x’ in the password field in /etc/passwd. The following command lists all accounts that do not have a ‘x’ in the password field:

# grep -v ‘:x:’ /etc/passwd

A ‘x’ in the password fields means that the password has been shadowed, i.e. the encrypted password has to be looked up in the /etc/shadow file. If the password field in /etc/passwd is empty, then the system will not lookup the shadow file and it will not prompt the user for a password at the login prompt.

All system or vendor accounts that are not being used by users, applications, by the system or by daemons should be removed from the system. You can use the following command to find out if there are any files owned by a specific account:

# find / -path /proc -prune -o -user [account] -ls

The -prune option in this example is used to skip the /proc filesystem. If you are sure that an account can be deleted, you can remove the account using the following command:

# userdel -r [account]

Tags: , ,

Trackback URI | Comments RSS

Leave a Reply

You must be logged in to post a comment.