Title

SLEM 5 must never automatically remove or disable emergency administrator accounts. (Cat II impact)

Discussion

Emergency administrator accounts, also known as "last resort" or "break glass" accounts, are local logon accounts enabled on the system for emergency use by authorized system administrators to manage a system when standard logon methods are failing or not available. Emergency accounts are not subject to manual removal or scheduled expiration requirements.

Check Content

Verify SLEM 5 is configured such that emergency administrator accounts are never automatically removed or disabled with the following command: Note: Root is typically the "account of last resort" on a system and is also used as the example emergency administrator account. If another account is being used as the emergency administrator account, the command should be used against that account. > sudo chage -l <emergency_administrator_account_name> | grep -E '(Password|Account) expires' Password expires: never Account expires: never If "Password expires" or "Account expires" is set to anything other than "never", this is a finding.

Fix Text

Configure SLEM 5 to never automatically remove or disable emergency administrator accounts. > sudo chage -I -1 -M 99999 <emergency_administrator_account_name>

Additional Identifiers

Rule ID: SV-261356r996518_rule

Vulnerability ID: V-261356

Group Title: SRG-OS-000123-GPOS-00064

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.