controls:
    -   id: SRG-OS-000001-GPOS-00001
        levels:
            - medium
        title: {{{ full_name }}} must provide automated mechanisms for supporting account
            management functions.
        description: |-
            {{{ full_name }}} must provide automated mechanisms for supporting account management functions.
        rationale: |-
            Enterprise environments make account management challenging and complex.
            A manual process for account management functions adds the risk of a potential oversight or other errors.

            A comprehensive account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed.
            Examples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended, or terminated, or by disabling accounts located in non-centralized account stores such as multiple servers.
            This requirement applies to all account types, including individual/user, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service.

            The automated mechanisms may reside within the operating system itself or may be offered by another infrastructure providing automated account management capabilities.
            Automated mechanisms may be composed of differing technologies that, when placed together, contain an overall automated mechanism supporting an organization's automated account management requirements.

            Account management functions include: assigning group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. 
            The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephonic notification to report atypical system account usage.
        status_justification: |-
            Mitigate with third-party software.

            As noted in the vulnerability discussion, "The automated mechanisms may reside within the operating system itself or may be offered by another infrastructure providing automated account management capabilities.
            Automated mechanisms may be composed of differing technologies that, when placed together, contain an overall automated mechanism supporting an organization's automated account management requirements.
            This is not required to be provided by {{{ full_name }}} and must be implemented via a third party solution.
        mitigation: |-
            Mitigate with third-party software.

            Although the listed mitigation is supporting the security function, it is not sufficient to reduce the residual risk of this requirement.
        fixtext: |-
            This requirement is a permanent finding and cannot be fixed.
            An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
        check: |-
            {{{ full_name }}} does not support this requirement.
            This is an applicable-does not meet finding.
        status: does not meet