{"description": "Temporary accounts are established as part of normal account activation\nprocedures when there is a need for short-term accounts. In the event\ntemporary accounts are required, configure the system to\nterminate them after a documented time period. For every temporary account, run the following command to set an expiration date on\nit, substituting <tt><i>USER</i></tt> and <tt><i>YYYY-MM-DD</i></tt>\nappropriately:\n<pre>$ sudo chage -E <i>YYYY-MM-DD USER</i></pre>\n<tt><i>YYYY-MM-DD</i></tt> indicates the documented expiration date for the\naccount. For U.S. Government systems, the operating system must be\nconfigured to automatically terminate these types of accounts after a\nperiod of 72 hours.", "rationale": "If temporary user accounts remain active when no longer needed or for\nan excessive period, these accounts may be used to gain unauthorized access.\nTo mitigate this risk, automated termination of all temporary accounts\nmust be set upon account creation.\n<br />", "severity": "medium", "references": {"cis-csc": ["1", "12", "13", "14", "15", "16", "18", "3", "5", "7", "8"], "cobit5": ["DSS01.03", "DSS03.05", "DSS05.04", "DSS05.05", "DSS05.07", "DSS06.03"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 6.2"], "iso27001-2013": ["A.12.4.1", "A.12.4.3", "A.6.1.2", "A.7.1.1", "A.9.1.2", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.1", "A.9.4.2", "A.9.4.3", "A.9.4.4", "A.9.4.5"], "nist": ["AC-2(2)", "AC-2(3)", "CM-6(a)"], "nist-csf": ["DE.CM-1", "DE.CM-3", "PR.AC-1", "PR.AC-4", "PR.AC-6"], "srg": ["SRG-OS-000123-GPOS-00064", "SRG-OS-000002-GPOS-00002"], "stigid": ["UBTU-22-411040"], "stigref": ["SV-260548r958364_rule"]}, "control_references": {"stigid": ["UBTU-22-411040"]}, "components": [], "identifiers": {}, "ocil_clause": "any temporary accounts have no expiration date set or do not expire within 72 hours", "ocil": "Verify that temporary accounts have been provisioned with an expiration date\nof 72 hours. For every temporary account, run the following command to\nobtain its account aging and expiration information:\n<pre>$ sudo chage -l temporary_account_name</pre>\nVerify each of these accounts has an expiration date set within 72 hours or\nas documented.", "oval_external_content": null, "fixtext": "If a temporary account must be created configure the system to terminate the account after a 72\nhour time period with the following command to set an expiration date on it. Substitute\n\"temporary_account_name\" with the account to be created.\n\n$ sudo chage -E `date -d \"+3 days\" +%Y-%m-%d` temporary_account_name", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 temporary user accounts must be provisioned with an expiration time of 72 hours or less.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must automatically expire temporary accounts within 72 hours.", "vuldiscussion": "Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new software or hardware configuration or an incident response, where the need for prompt account activation requires bypassing normal account authorization procedures. If any inactive temporary accounts are left enabled on the system and are not either manually removed or automatically expired within 72 hours, the security posture of the system will be degraded and exposed to exploitation by unauthorized users or insider threat actors.\n\nTemporary accounts are different from emergency accounts. Emergency accounts, also known as \"last resort\" or \"break glass\" accounts, are local logon accounts enabled on the system for emergency use by authorized system administrators to manage a system when standard logon methods are failing or not available. Emergency accounts are not subject to manual removal or scheduled expiration requirements.\n\nThe automatic expiration of temporary accounts may be extended as needed by the circumstances but it must not be extended indefinitely. A documented permanent account should be established for privileged users who need long-term maintenance accounts.", "checktext": "Verify temporary accounts have been provisioned with an expiration date of 72 hours.\n\nFor every existing temporary account, run the following command to obtain its account expiration information:\n\n$ sudo chage -l &lt;temporary_account_name&gt; | grep -i \"account expires\"\n\nVerify each of these accounts has an expiration date set within 72 hours.\n\nIf any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.", "fixtext": "Configure the operating system to expire temporary accounts after 72 hours with the following command:\n\n$ sudo chage -E $(date -d +3days +%Y-%m-%d) &lt;temporary_account_name&gt;"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Assign Expiration Date to Temporary Accounts", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml", "template": null}