AlmaLinux OS 9 must automatically expire temporary accounts within 72 hours.

STIG ID: ALMA-09-004750  |  SRG: SRG-OS-000002-GPOS-00002 |  Severity: medium |  CCI: CCI-000016,CCI-001682 |  Vulnerability Id: V-269128

Vulnerability Discussion

Temporary accounts are accounts created during a time of need when prompt action requires bypassing the normal account creation authorization process – such as during incident response.

If these temporary accounts are left enabled (and may have elevated permissions via sudo, group membership or SSH keys) and are not automatically expired or manually removed, the security posture of the system will be degraded and left vulnerable to insider threat.

Temporary accounts are not the same as "last resort" or "break glass" emergency accounts which are local system accounts to be used by and maintained by authorized system administrators when standard remote access/authentication is unavailable. Emergency accounts are not subject to removal or expiration requirements.

Satisfies: SRG-OS-000002-GPOS-00002, SRG-OS-000123-GPOS-00064

Check

Verify temporary accounts have been provisioned with an expiration date of 72 hours.

For every existing temporary account, run the following command to obtain its account expiration information:

$ chage -l | grep -i "account expires"

Verify each of these accounts has an expiration date set within 72 hours.

If any temporary accounts have an expiration date set to "never" or do not expire within 72 hours, this is a finding.

Fix

Configure automatic account expiration after 72 hours by running the following command for each temporary account:

$ chage -E $(date -d +3days +%Y-%m-%d)
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.