Assign Expiration Date to Temporary Accounts

An XCCDF Rule

Description

Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts. In the event temporary accounts are required, configure the system to terminate them after a documented time period. For every temporary account, run the following command to set an expiration date on it, substituting USER and YYYY-MM-DD appropriately:

$ sudo chage -E YYYY-MM-DD USER

YYYY-MM-DD indicates the documented expiration date for the account. For U.S. Government systems, the operating system must be configured to automatically terminate these types of accounts after a period of 72 hours.

Rationale

If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.

ID: xccdf_org.ssgproject.content_rule_account_temp_expire_date
Severity: Medium
References: 1 12 13 14 15 16 18 3 5 7 8

DSS01.03 DSS03.05 DSS05.04 DSS05.05 DSS05.07 DSS06.03

CCI-000016 CCI-001682

4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4

SR 1.1 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 6.2

A.12.4.1 A.12.4.3 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5

AC-2(2) AC-2(3) CM-6(a)

DE.CM-1 DE.CM-3 PR.AC-1 PR.AC-4 PR.AC-6

SRG-OS-000002-GPOS-00002 SRG-OS-000123-GPOS-00064

SV-254523r903130_rule
Updated: about 1 year ago