Check: OSX8-00-00115
Apple OSX 10.8 STIG:
OSX8-00-00115
(in version v1 r2)
Title
The operating system must automatically terminate emergency accounts after an organization-defined time period for each type of account. (Cat II impact)
Discussion
When emergency accounts are created, there is a risk that the emergency account may remain in place and active after the need for the account no longer exists. To address this, in the event emergency accounts are required, accounts that are designated as temporary in nature must be automatically terminated after an organization-defined time period. Such a process and capability greatly reduces the risk that accounts will be misused, hijacked, or data compromised.
Check Content
If an emergency account has been created on the workstation, you can check the expiration settings using the following command: sudo pwpolicy -u <username> get-effective-policy | tr " " "\n" | grep "usingHardExpirationDate\|hardExpireDateGMT" The value of "usingHardExpirationDate" should be "1", and the value for the "hardExpireDateGMT" should be a valid date. If they are not set correctly, this is a finding.
Fix Text
To set an expiration date for an emergency account, use the following command: sudo pwpolicy -u <username> -setpolicy "usingHardExpirationDate=1 hardExpireDateGMT=mm/dd/yy"
Additional Identifiers
Rule ID: SV-65725r1_rule
Vulnerability ID: V-51515
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001682 |
The information system automatically removes or disables emergency accounts after an organization-defined time period for each type of account. |
Controls
Number | Title |
---|---|
AC-2 (2) |
Removal Of Temporary / Emergency Accounts |