Rule ID
SV-260548r958364_rule
Version
V2R8
Temporary accounts are privileged or nonprivileged accounts established during pressing circumstances, such as new software or hardware configuration or an incident response, where the need for prompt account activation requires bypassing normal account authorization procedures. If any inactive temporary accounts are left enabled on the system and are not either manually removed or automatically expired within 72 hours, the security posture of the system will be degraded and exposed to exploitation by unauthorized users or insider threat actors. Temporary accounts are different from emergency accounts. Emergency accounts, also known as "last resort" or "break glass" accounts, are local logon accounts enabled on the system for emergency use by authorized system administrators to manage a system when standard logon methods are failing or not available. Emergency accounts are not subject to manual removal or scheduled expiration requirements. The automatic expiration of temporary accounts may be extended as needed by the circumstances, but it must not be extended indefinitely. A documented permanent account should be established for privileged users who need long-term maintenance accounts. Satisfies: SRG-OS-000002-GPOS-00002, SRG-OS-000123-GPOS-00064
Verify temporary accounts have been provisioned with an expiration date of 72 hours by using the following command:
$ sudo chage -l <temporary_account_name> | grep -E '(Password|Account) expires'
Password expires : Apr 1, 2024
Account expires : Apr 1, 2024
Verify each of these accounts has an expiration date set within 72 hours.
If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.Configure Ubuntu 22.04 LTS to expire temporary accounts after 72 hours by using the following command:
$ sudo chage -E $(date -d +3days +%Y-%m-%d) <temporary_account_name>