Check: OSX8-00-00110
Apple OSX 10.8 STIG:
OSX8-00-00110
(in version v1 r2)
Title
The operating system must automatically terminate temporary accounts after an organization-defined time period for each type of account. (Cat II impact)
Discussion
When temporary and emergency accounts are created, there is a risk the temporary account may remain in place and active after the need for the account no longer exists. To address this, in the event temporary accounts are required, accounts designated as temporary in nature must be automatically terminated after an organization-defined time period. Such a process and capability greatly reduces the risk of accounts being misused, hijacked, or data compromised.
Check Content
If a temporary user has been created on the workstation, you can check the expiration settings using the following command: sudo pwpolicy -u <username> get-effective-policy | tr " " "\n" | grep "usingHardExpirationDate\|hardExpireDateGMT" The value of "usingHardExpirationDate" should be "1", and the value for the "hardExpireDateGMT" should be a valid date. If they are not set correctly, this is a finding.
Fix Text
To set an expiration date for a temporary account, use the following command: sudo pwpolicy -u <username> -setpolicy "usingHardExpirationDate=1 hardExpireDateGMT=mm/dd/yy"
Additional Identifiers
Rule ID: SV-65405r1_rule
Vulnerability ID: V-51195
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000016 |
The information system automatically removes or disables temporary accounts after an organization-defined time period for each type of account. |
Controls
Number | Title |
---|---|
AC-2 (2) |
Removal Of Temporary / Emergency Accounts |