CCI-000016

Automatically remove or disable temporary and emergency accounts after an organization-defined time-period for each type of account.

9 rules found Severity: Medium

20 rules found Severity: Medium

1 rule found Severity: Low

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: High

CCI-000016

Assign Expiration Date to Emergency Accounts

Assign Expiration Date to Temporary Accounts

Nutanix AOS must automatically remove or disable temporary user accounts after 72 hours.

The macOS system must automatically remove or disable temporary and emergency user accounts after 72 hours.

The Ubuntu operating system must provision temporary user accounts with an expiration time of 72 hours or less.

The BIG-IP appliance must automatically remove or disable temporary user accounts after 72 hours.

AIX must automatically remove or disable temporary user accounts after 72 hours or sooner.

MKE must be configured to integrate with an Enterprise Identity Provider.

Windows Server 2016 must automatically remove or disable temporary user accounts after 72 hours.

SLEM 5 must automatically expire temporary accounts within 72 hours.

NixOS emergency or temporary user accounts must be provisioned with an expiration time of 72 hours or less.

AAA Services must be configured to automatically remove temporary user accounts after 72 hours.

AAA Services must be configured to automatically remove authorizations for temporary user accounts after 72 hours.

The macOS system must automatically remove or disable temporary or emergency user accounts within 72 hours.

The application must automatically remove or disable temporary user accounts 72 hours after account creation.

Ubuntu 22.04 LTS must automatically expire temporary accounts within 72 hours.

AlmaLinux OS 9 must automatically expire temporary accounts within 72 hours.

The container platform must automatically remove or disable temporary user accounts after 72 hours.

The operating system must automatically remove or disable temporary user accounts after 72 hours.

The IBM z/OS system administrator (SA) must develop a procedure to automatically remove or disable temporary user accounts after 72 hours.

IBM z/OS system administrator must develop a procedure to remove or disable temporary user accounts after 72 hours.

IBM z/OS system administrator (SA) must develop a procedure to remove or disable temporary user accounts after 72 hours.

The Mainframe Product must automatically remove or disable temporary user accounts after 72 hours.

Windows Server 2019 must automatically remove or disable temporary user accounts after 72 hours.

Windows Server 2022 must automatically remove or disable temporary user accounts after 72 hours.

Access to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.

OL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less.

OpenShift must use FIPS validated LDAP or OpenIDConnect.

RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less.

RHEL 9 must automatically expire temporary accounts within 72 hours.

The SUSE operating system must provision temporary accounts with an expiration date for 72 hours.

The operating system must automatically terminate temporary accounts within 72 hours.

The VMM must automatically remove or disable local temporary user accounts after 72 hours.

The UEM server must automatically remove or disable temporary user accounts after 72 hours if supported by the UEM server.

Rancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.