Skip to content
ATO Pathways
  Log In

CCI-003627

Disable accounts when the accounts have expired.

Logo
1

Rule

Severity: Medium
AAA Services must be configured to disable accounts when the accounts have expired.
Logo
2

Rule

Severity: Medium
The macOS system must disable accounts after 35 days of inactivity.
Logo
1

Rule

Severity: Medium
The application server must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
Logo
1

Rule

Severity: Medium
The application must disable device identifiers after 35 days of inactivity unless a cryptographic certificate is used for authentication.
Logo
1

Rule

Severity: Medium
The Ubuntu operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
Logo
1

Rule

Severity: Medium
Ubuntu 22.04 LTS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
Logo
1

Rule

Severity: Medium
The Central Log Server must disable accounts (individuals, groups, roles, and devices) after 35 days of inactivity.
Logo
1

Rule

Severity: Medium
The Cisco ISE must be configured to use an external authentication server to authenticate administrators prior to granting administrative access.
Logo
1

Rule

Severity: Medium
The container platform must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
Logo
1

Rule

Severity: Medium
The DBMS must disable accounts when the accounts have expired.
Logo
1

Rule

Severity: Medium
The DNS server implementation must disable accounts when the accounts have expired.
Logo
1

Rule

Severity: Medium
Forescout must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.
Logo
1

Rule

Severity: Medium
The operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
Logo
1

Rule

Severity: Medium
CA-ACF2 userids found inactive for more than 35 days must be suspended.
Logo
1

Rule

Severity: Medium
ACF2 system administrator must develop a procedure to disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
Logo
1

Rule

Severity: Medium
The IBM RACF INACTIVE SETROPTS value must be set to 35 days.
Logo
1

Rule

Severity: Medium
CA-TSS security administrator must develop a process to suspend userids found inactive for more than 35 days.
Logo
1

Rule

Severity: Medium
The CA-TSS INACTIVE Control Option must be properly set.
Logo
1

Rule

Severity: High
The ICS must be configured to prevent nonprivileged users from executing privileged functions.
Logo
1

Rule

Severity: High
The Juniper EX switch must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.
Logo
1

Rule

Severity: Medium
The Juniper SRX Services Gateway must be configured to use an authentication server to centrally manage authentication and logon settings for remote and nonlocal access.
Logo
1

Rule

Severity: Medium
The Mainframe Product must disable accounts when the accounts have expired.
Logo
1

Rule

Severity: Medium
MKE must be configured to integrate with an Enterprise Identity Provider.
Logo
1

Rule

Severity: Medium
Microsoft Intune service must automatically disable accounts and identifiers (individuals, groups, roles, and devices) after a 35-day period of account inactivity.
Logo
2

Rule

Severity: Low
Unused accounts must be disabled or removed from the system after 35 days of inactivity.
Logo
1

Rule

Severity: Medium
Windows Server 2019 outdated or unused accounts must be removed or disabled.
Logo
1

Rule

Severity: Medium
Windows Server 2022 outdated or unused accounts must be removed or disabled.
Logo
1

Rule

Severity: Medium
The network device must be configured to disable accounts when the accounts have expired.
Logo
1

Rule

Severity: Medium
The Oracle Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.
Logo
1

Rule

Severity: Medium
Access to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.
Logo
1

Rule

Severity: Medium
The OL 8 system-auth file must disable access to the system for account identifiers (individuals, groups, roles, and devices) with 35 days of inactivity.
Logo
1

Rule

Severity: Medium
The OL 8 password-auth file must disable access to the system for account identifiers (individuals, groups, roles, and devices) with 35 days of inactivity.
Logo
2

Rule

Severity: High
The Riverbed NetProfiler must be configured to use an authentication server to authenticate users prior to granting administrative access.
Logo
1

Rule

Severity: High
OpenShift must use FIPS validated LDAP or OpenIDConnect.
Logo
1

Rule

Severity: Medium
RHEL 8 account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity.
Logo
1

Rule

Severity: Medium
RHEL 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
Logo
2

Rule

Severity: Medium
The SUSE operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration.
Logo
2

Rule

Severity: Medium
User accounts must be locked after 35 days of inactivity.
Logo
1

Rule

Severity: Medium
The TippingPoint SMS must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.
Logo
1

Rule

Severity: High
The TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.
Logo
1

Rule

Severity: Medium
TOSS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
Logo
1

Rule

Severity: Medium
The VMM must disable local account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
Logo
1

Rule

Severity: Medium
The web server must disable accounts when the accounts have expired.
Logo
1

Rule

Severity: Medium
The vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users.

Patternfly

PatternFly elements

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules