The Ubuntu operating system must automatically remove or disable emergency accounts after 72 hours.

STIG ID: UBTU-20-010410  |  SRG: SRG-OS-000123-GPOS-00064 | Severity: low |  CCI: CCI-001682

Vulnerability Discussion

Emergency accounts are different from infrequently used accounts (i.e., local logon accounts used by the organization's System Administrator
s when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts.

Check

Verify the Ubuntu operating system expires emergency accounts within 72 hours or less.

For every emergency account, run the following command to obtain its account expiration information:

$ sudo chage -l account_name | grep expires

Password expires : Aug 07, 2019
Account expires : Aug 07, 2019

Verify each of these accounts has an expiration date set within 72 hours of account creation.

If any of these accounts do not expire within 72 hours of that account's creation, this is a finding.

Fix

If an emergency account must be created, configure the system to terminate the account after a 72-hour time period with the following command to set an expiration date on it. Substitute "account_name" with the account to be created.

$ sudo chage -E $(date -d "+3 days" +%F) account_name
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.