Title

All system administrative and maintenance user accounts are not documented. (Cat III impact)

Discussion

Requirement: The IAO will document all system administrative and maintenance user accounts. It is imperative that the IAO and SA is aware of all administrative and maintenance accounts that are configured on the system. These accounts must be documented and validated against the roster of SAs and maintenance users that are approved for access to the system. Un-needed accounts provide a means of compromise.Additionally, for each user / allowable account, the privileges, roles, and allowable commands for the account must be documented.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Additional Identifiers

Rule ID: SV-9053r1_rule

Vulnerability ID: V-8556

Group Title: SA and maintenance user accounts NOT documented

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.