Title

Okta must automatically disable accounts after a 35-day period of account inactivity. (Cat II impact)

Discussion

Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Applications must track periods of user inactivity and disable accounts after 35 days of inactivity. Such a process greatly reduces the risk that accounts will be hijacked, leading to a data compromise. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. This policy does not apply to emergency accounts or infrequently used accounts. Infrequently used accounts are local login administrator accounts used by system administrators when network or normal login/access is not available. Emergency accounts are administrator accounts created in response to crisis situations. Satisfies: SRG-APP-000025, SRG-APP-000163, SRG-APP-000700

Check Content

If Okta Services rely on external directory services for user sourcing, this is not applicable, and the connected directory services must perform this function. Go to Workflows >> Automations and verify that an Automation has been created to disable accounts after 35 days of inactivity. If the Okta configuration does not automatically disable accounts after a 35-day period of account inactivity, this is a finding.

Fix Text

From the Admin Console: 1. Go to Workflow >> Automations and select "Add Automation". 2. Create a name for the Automation (e.g., "User Inactivity"). 3. Click "Add Condition" and select "User Inactivity in Okta". 4. In the duration field, enter 35 days and click "Save". 5 Click the edit button next to "Select Schedule". 6. Configure the "Schedule" field for "Run Daily" and set the "Time" field to an organizationally defined time to run this automation. Click "Save". 7. Click the edit button next to "Select group membership". 8. In the "Applies to" field, select the group "Everyone" by typing it into the field. Click "Save". 9. Click "Add Action" and select "Change User lifecycle state in Okta". 10. In the "Change user state to" field, select "Suspended" and click "Save". 11. Click the "Inactive" button near the top of the section screen and select "Activate".

Additional Identifiers

Rule ID: SV-273188r1098831_rule

Vulnerability ID: V-273188

Group Title: SRG-APP-000025

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.