Signed-off-by: Jeffrey Blank <[email protected]> --- RHEL6/input/profiles/stig-rhel6-server.xml | 1 + .../accounts/restrictions/account_expiration.xml | 28 ++++++++++++++++++- 2 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/profiles/stig-rhel6-server.xml b/RHEL6/input/profiles/stig-rhel6-server.xml index f5b8d6f..af213d3 100644 --- a/RHEL6/input/profiles/stig-rhel6-server.xml +++ b/RHEL6/input/profiles/stig-rhel6-server.xml @@ -26,6 +26,7 @@ <select idref="gid_passwd_group_same" selected="true"/> <select idref="account_unique_name" selected="true"/> +<select idref="account_temp_expire_date" selected="true"/> <select idref="password_require_consecrepeat" selected="true"/> diff --git a/RHEL6/input/system/accounts/restrictions/account_expiration.xml b/RHEL6/input/system/accounts/restrictions/account_expiration.xml index 2e8c8f4..ee213d5 100644 --- a/RHEL6/input/system/accounts/restrictions/account_expiration.xml +++ b/RHEL6/input/system/accounts/restrictions/account_expiration.xml @@ -62,7 +62,7 @@ who may have compromised their credentials. </Rule> <Rule id="account_unique_name"> -<title>All Accounts on the System Must Have Unique User or Account Names</title> +<title>Ensure All Accounts on the System Have Unique Names</title> <description> Change usernames, or delete accounts, so each has a unique name. </description> @@ -72,9 +72,33 @@ Run the following command to check for duplicate account names: If there are no duplicate names, no line will be returned. </ocil> <rationale> -Unique usernames allow for accountability on the system. +Unique usernames allow for accountability on the system. </rationale> <ref disa="770,804"/> </Rule> +<Rule id="account_temp_expire_date"> +<title>Assign Expiration Date to Temporary Accounts</title> +<description> +In the event temporary or emergency accounts are required, configure the system +to terminate them after a documented time period. For every temporary and +emergency account, run the following command to set an expiration date on it: +<pre># chage -E <i>YYYY-MM-DD</i> <i>username of temporary or emergency account</i></pre> +<tt><i>YYYY-MM-DD</i></tt> indicates the documented expiration date for the account. +</description> +<ocil clause="any temporary or emergency accounts have no expiration date set or do not expire within a documented time frame"> +Run the following command to obtain a list of all temporary and emergency +accounts on the system: +<pre># chage -l <i>username of temporary or emergency account</i></pre> +Verify each of these accounts has an expiration date set as documented. +</ocil> +<rationale> +When temporary and emergency accounts are created, there is a risk they may +remain in place and active after the need for them no longer exists. Account +expiration greatly reduces the risk of accounts being misused or hijacked. +<br/> +</rationale> +<ref disa="16,1682"/> +</Rule> + </Group> -- 1.7.1 _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
