Rule ID
SV-261356r996518_rule
Version
V1R4
CCIs
Emergency administrator accounts, also known as "last resort" or "break glass" accounts, are local logon accounts enabled on the system for emergency use by authorized system administrators to manage a system when standard logon methods are failing or not available. Emergency accounts are not subject to manual removal or scheduled expiration requirements.
Verify SLEM 5 is configured such that emergency administrator accounts are never automatically removed or disabled with the following command:
Note: Root is typically the "account of last resort" on a system and is also used as the example emergency administrator account. If another account is being used as the emergency administrator account, the command should be used against that account.
> sudo chage -l <emergency_administrator_account_name> | grep -E '(Password|Account) expires'
Password expires: never
Account expires: never
If "Password expires" or "Account expires" is set to anything other than "never", this is a finding.Configure SLEM 5 to never automatically remove or disable emergency administrator accounts.
> sudo chage -I -1 -M 99999 <emergency_administrator_account_name>