The operating system must automatically terminate emergency accounts after an organization-defined time period for each type of account.

From Apple OS X 10.8 (Mountain Lion) Workstation STIG

Associated with: CCI-001682

SV-65725r1_rule The operating system must automatically terminate emergency accounts after an organization-defined time period for each type of account.

Vulnerability discussion

When emergency accounts are created, there is a risk that the emergency account may remain in place and active after the need for the account no longer exists. To address this, in the event emergency accounts are required, accounts that are designated as temporary in nature must be automatically terminated after an organization-defined time period. Such a process and capability greatly reduces the risk that accounts will be misused, hijacked, or data compromised.

Check content

If an emergency account has been created on the workstation, you can check the expiration settings using the following command: sudo pwpolicy -u get-effective-policy | tr " " "\n" | grep "usingHardExpirationDate\|hardExpireDateGMT" The value of "usingHardExpirationDate" should be "1", and the value for the "hardExpireDateGMT" should be a valid date. If they are not set correctly, this is a finding.

Fix text

To set an expiration date for an emergency account, use the following command: sudo pwpolicy -u -setpolicy "usingHardExpirationDate=1 hardExpireDateGMT=mm/dd/yy"

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.