Skip to content
Log In

CCI-003627

Disable accounts when the accounts have expired.

The Ubuntu operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.

1 rule found Severity: Medium

Logo

The Cisco ISE must be configured to use an external authentication server to authenticate administrators prior to granting administrative access.

1 rule found Severity: Medium

Logo

The DNS server implementation must disable accounts when the accounts have expired.

1 rule found Severity: Medium

Logo

The ICS must be configured to prevent nonprivileged users from executing privileged functions.

1 rule found Severity: High

Logo

The Juniper EX switch must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.

1 rule found Severity: High

Logo

MKE must be configured to integrate with an Enterprise Identity Provider.

1 rule found Severity: Medium

Logo

Microsoft Intune service must automatically disable accounts and identifiers (individuals, groups, roles, and devices) after a 35-day period of account inactivity.

1 rule found Severity: Medium

Logo

Unused accounts must be disabled or removed from the system after 35 days of inactivity.

2 rules found Severity: Low

Logo

The network device must be configured to disable accounts when the accounts have expired.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.

1 rule found Severity: Medium

Logo

The Riverbed NetProfiler must be configured to use an authentication server to authenticate users prior to granting administrative access.

2 rules found Severity: High

Logo

The TippingPoint SMS must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.

1 rule found Severity: Medium

Logo

The TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.

1 rule found Severity: High

Logo

TOSS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.

1 rule found Severity: Medium

Logo

The web server must disable accounts when the accounts have expired.

1 rule found Severity: Medium

Logo

Set Account Expiration Following Inactivity

22 rules found Severity: Medium

Logo

Set existing passwords a period of inactivity before they been locked

10 rules found Severity: Medium

Logo

NixOS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.

1 rule found Severity: Medium

Logo

AAA Services must be configured to disable accounts when the accounts have expired.

1 rule found Severity: Medium

Logo

The macOS system must disable accounts after 35 days of inactivity.

2 rules found Severity: Medium

Logo

The application server must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.

1 rule found Severity: Medium

Logo

The application must disable device identifiers after 35 days of inactivity unless a cryptographic certificate is used for authentication.

1 rule found Severity: Medium

Logo

Ubuntu 22.04 LTS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.

1 rule found Severity: Medium

Logo

The Central Log Server must disable accounts (individuals, groups, roles, and devices) after 35 days of inactivity.

1 rule found Severity: Medium

Logo

The container platform must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.

1 rule found Severity: Medium

Logo

The DBMS must disable accounts when the accounts have expired.

1 rule found Severity: Medium

Logo

Forescout must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.

1 rule found Severity: Medium

Logo

The operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.

1 rule found Severity: Medium

Logo

CA-ACF2 userids found inactive for more than 35 days must be suspended.

1 rule found Severity: Medium

Logo

ACF2 system administrator must develop a procedure to disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.

1 rule found Severity: Medium

Logo

The IBM RACF INACTIVE SETROPTS value must be set to 35 days.

1 rule found Severity: Medium

Logo

CA-TSS security administrator must develop a process to suspend userids found inactive for more than 35 days.

1 rule found Severity: Medium

Logo

The CA-TSS INACTIVE Control Option must be properly set.

1 rule found Severity: Medium

Logo

The Juniper SRX Services Gateway must be configured to use an authentication server to centrally manage authentication and logon settings for remote and nonlocal access.

1 rule found Severity: Medium

Logo

The Mainframe Product must disable accounts when the accounts have expired.

1 rule found Severity: Medium

Logo

Windows Server 2019 outdated or unused accounts must be removed or disabled.

1 rule found Severity: Medium

Logo

Windows Server 2022 outdated or unused accounts must be removed or disabled.

1 rule found Severity: Medium

Logo

Access to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.

1 rule found Severity: Medium

Logo

The OL 8 system-auth file must disable access to the system for account identifiers (individuals, groups, roles, and devices) with 35 days of inactivity.

1 rule found Severity: Medium

Logo

The OL 8 password-auth file must disable access to the system for account identifiers (individuals, groups, roles, and devices) with 35 days of inactivity.

1 rule found Severity: Medium

Logo

OpenShift must use FIPS validated LDAP or OpenIDConnect.

1 rule found Severity: High

Logo

RHEL 8 account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity.

1 rule found Severity: Medium

Logo

RHEL 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.

1 rule found Severity: Medium

Logo

The SUSE operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration.

2 rules found Severity: Medium

Logo

User accounts must be locked after 35 days of inactivity.

2 rules found Severity: Medium

Logo

The VMM must disable local account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.

1 rule found Severity: Medium

Logo

The vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users.

1 rule found Severity: Medium

Logo

Rancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.

1 rule found Severity: High

Logo