Signed-off-by: Jeffrey Blank <[email protected]> --- RHEL6/input/auxiliary/alt-titles-stig.xml | 5 ++++- .../accounts/restrictions/account_expiration.xml | 11 ++++++----- 2 files changed, 10 insertions(+), 6 deletions(-)
diff --git a/RHEL6/input/auxiliary/alt-titles-stig.xml b/RHEL6/input/auxiliary/alt-titles-stig.xml index 915bd1a..cf6e6a4 100644 --- a/RHEL6/input/auxiliary/alt-titles-stig.xml +++ b/RHEL6/input/auxiliary/alt-titles-stig.xml @@ -704,7 +704,7 @@ All files must be owned by a group. <title rule="gid_passwd_group_same" shorttitle="All GIDs referenced in /etc/passwd must be defined in /etc/group"> All GIDs referenced in /etc/passwd must be defined in /etc/group </title> -<title rule="account_unique_name" shorttitle="All Accounts on the System Must Have Unique User or Account Names"> +<title rule="account_unique_name" shorttitle="Ensure All Accounts on the System Have Unique Names"> All accounts on the system must have unique user or account names </title> <title rule="password_require_consecrepeat" shorttitle="Set Password to Maximum of Three Consecutive Repeating Characters"> @@ -749,4 +749,7 @@ The snmpd service must use only SNMP protocol version 3 or newer. <title rule="snmpd_not_default_password" shorttitle="Ensure Default Password Is Not Used"> The snmpd service must not use a default password. </title> +<title rule="expire_date_set" shorttitle="Assign Expiration Date to Temporary Accounts"> +Temporary and emergency accounts must be provisioned with an expiration date. +</title> </titles> diff --git a/RHEL6/input/system/accounts/restrictions/account_expiration.xml b/RHEL6/input/system/accounts/restrictions/account_expiration.xml index ee213d5..9b2ad28 100644 --- a/RHEL6/input/system/accounts/restrictions/account_expiration.xml +++ b/RHEL6/input/system/accounts/restrictions/account_expiration.xml @@ -82,14 +82,15 @@ Unique usernames allow for accountability on the system. <description> In the event temporary or emergency accounts are required, configure the system to terminate them after a documented time period. For every temporary and -emergency account, run the following command to set an expiration date on it: -<pre># chage -E <i>YYYY-MM-DD</i> <i>username of temporary or emergency account</i></pre> +emergency account, run the following command to set an expiration date on it, +substituting <tt><i>USER</i></tt> and <tt><i>YYYY-MM-DD</i></tt> appropriately: +<pre># chage -E <i>YYYY-MM-DD USER</i></pre> <tt><i>YYYY-MM-DD</i></tt> indicates the documented expiration date for the account. </description> <ocil clause="any temporary or emergency accounts have no expiration date set or do not expire within a documented time frame"> -Run the following command to obtain a list of all temporary and emergency -accounts on the system: -<pre># chage -l <i>username of temporary or emergency account</i></pre> +For every temporary and emergency account, run the following command +to obtain its account aging and expiration information: +<pre># chage -l <i>USER</i></pre> Verify each of these accounts has an expiration date set as documented. </ocil> <rationale> -- 1.7.1 _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
