Assign Expiration Date to Emergency Accounts

An XCCDF Rule

Description

Emergency accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. In the event emergency accounts are required, configure the system to terminate them after a documented time period. For every emergency account, run the following command to set an expiration date on it, substituting ACCOUNT_NAME and YYYY-MM-DD appropriately:

$ sudo chage -E YYYY-MM-DD ACCOUNT_NAME

YYYY-MM-DD indicates the documented expiration date for the account. For U.S. Government systems, the operating system must be configured to automatically terminate these types of accounts after a period of 72 hours.

warning alert: Warning

Due to the unique requirements of each system, automated remediation is not available for this configuration check.

warning alert: Warning

This rule is deprecated in favor of the account_temp_expire_date rule.Please consider replacing this rule in your files as it is not expected to receive updates as of version 0.1.69.

Rationale

If emergency user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all emergency accounts must be set upon account creation.

ID: xccdf_org.ssgproject.content_rule_account_emergency_expire_date
Severity: Medium
References: 1 12 13 14 15 16 18 3 5 7 8

DSS01.03 DSS03.05 DSS05.04 DSS05.05 DSS05.07 DSS06.03

CCI-000016 CCI-001682

4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4

SR 1.1 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 6.2

A.12.4.1 A.12.4.3 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5

AC-2(2) AC-2(3) CM-6(a)

DE.CM-1 DE.CM-3 PR.AC-1 PR.AC-4 PR.AC-6

SRG-OS-000002-GPOS-00002 SRG-OS-000123-GPOS-00064
Updated: about 1 year ago