|
|
76240a |
From eed29b1db9dd62d014842340abb8601570fe6655 Mon Sep 17 00:00:00 2001
|
|
|
76240a |
From: Carlos Matos <cmatos@redhat.com>
|
|
|
76240a |
Date: Thu, 22 Jul 2021 14:26:49 -0400
|
|
|
76240a |
Subject: [PATCH] New rule for RHEL-08-020270
|
|
|
76240a |
|
|
|
76240a |
---
|
|
|
76240a |
.../account_emergency_expire_date/rule.yml | 52 +++++++++++++++++++
|
|
|
76240a |
products/rhel8/profiles/stig.profile | 1 +
|
|
|
76240a |
shared/references/cce-redhat-avail.txt | 1 -
|
|
|
76240a |
.../data/profile_stability/rhel8/stig.profile | 1 +
|
|
|
76240a |
.../profile_stability/rhel8/stig_gui.profile | 1 +
|
|
|
76240a |
5 files changed, 55 insertions(+), 1 deletion(-)
|
|
|
76240a |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml
|
|
|
76240a |
|
|
|
76240a |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 0000000000..a47c7f39bc
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml
|
|
|
76240a |
@@ -0,0 +1,52 @@
|
|
|
76240a |
+documentation_complete: true
|
|
|
76240a |
+
|
|
|
76240a |
+prodtype: fedora,rhel8
|
|
|
76240a |
+
|
|
|
76240a |
+title: 'Assign Expiration Date to Emergency Accounts'
|
|
|
76240a |
+
|
|
|
76240a |
+description: |-
|
|
|
76240a |
+ Emergency accounts are privileged accounts established in response to
|
|
|
76240a |
+ crisis situations where the need for rapid account activation is required.
|
|
|
76240a |
+ In the event emergency accounts are required, configure the system to
|
|
|
76240a |
+ terminate them after a documented time period. For every emergency account,
|
|
|
76240a |
+ run the following command to set an expiration date on it, substituting
|
|
|
76240a |
+ <tt>ACCOUNT_NAME</tt> and <tt>YYYY-MM-DD</tt>
|
|
|
76240a |
+ appropriately:
|
|
|
76240a |
+ $ sudo chage -E YYYY-MM-DD ACCOUNT_NAME
|
|
|
76240a |
+ <tt>YYYY-MM-DD</tt> indicates the documented expiration date for the
|
|
|
76240a |
+ account. For U.S. Government systems, the operating system must be
|
|
|
76240a |
+ configured to automatically terminate these types of accounts after a
|
|
|
76240a |
+ period of 72 hours.
|
|
|
76240a |
+
|
|
|
76240a |
+rationale: |-
|
|
|
76240a |
+ If emergency user accounts remain active when no longer needed or for
|
|
|
76240a |
+ an excessive period, these accounts may be used to gain unauthorized access.
|
|
|
76240a |
+ To mitigate this risk, automated termination of all emergency accounts
|
|
|
76240a |
+ must be set upon account creation.
|
|
|
76240a |
+
|
|
|
76240a |
+
|
|
|
76240a |
+severity: medium
|
|
|
76240a |
+
|
|
|
76240a |
+identifiers:
|
|
|
76240a |
+ cce@rhel8: CCE-85910-8
|
|
|
76240a |
+
|
|
|
76240a |
+references:
|
|
|
76240a |
+ cis-csc: 1,12,13,14,15,16,18,3,5,7,8
|
|
|
76240a |
+ cobit5: DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS06.03
|
|
|
76240a |
+ disa: CCI-000016,CCI-001682
|
|
|
76240a |
+ isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4
|
|
|
76240a |
+ isa-62443-2013: 'SR 1.1,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 6.2'
|
|
|
76240a |
+ iso27001-2013: A.12.4.1,A.12.4.3,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
|
|
|
76240a |
+ nist: AC-2(2),AC-2(3),CM-6(a)
|
|
|
76240a |
+ nist-csf: DE.CM-1,DE.CM-3,PR.AC-1,PR.AC-4,PR.AC-6
|
|
|
76240a |
+ srg: SRG-OS-000123-GPOS-00064,SRG-OS-000002-GPOS-00002
|
|
|
76240a |
+ stigid@rhel8: RHEL-08-020270
|
|
|
76240a |
+ vmmsrg: SRG-OS-000002-VMM-000020,SRG-OS-000123-VMM-000620
|
|
|
76240a |
+
|
|
|
76240a |
+ocil_clause: 'any emergency accounts have no expiration date set or do not expire within a documented time frame'
|
|
|
76240a |
+
|
|
|
76240a |
+ocil: |-
|
|
|
76240a |
+ For every emergency account, run the following command
|
|
|
76240a |
+ to obtain its account aging and expiration information:
|
|
|
76240a |
+ $ sudo chage -l ACCOUNT_NAME
|
|
|
76240a |
+ Verify each of these accounts has an expiration date set as documented.
|
|
|
76240a |
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
|
|
76240a |
index 7270a8f91f..c4b9d02af5 100644
|
|
|
76240a |
--- a/products/rhel8/profiles/stig.profile
|
|
|
76240a |
+++ b/products/rhel8/profiles/stig.profile
|
|
|
76240a |
@@ -558,6 +558,7 @@ selections:
|
|
|
76240a |
- account_disable_post_pw_expiration
|
|
|
76240a |
|
|
|
76240a |
# RHEL-08-020270
|
|
|
76240a |
+ - account_emergency_expire_date
|
|
|
76240a |
|
|
|
76240a |
# RHEL-08-020280
|
|
|
76240a |
- accounts_password_pam_ocredit
|
|
|
76240a |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
76240a |
index 665f903ead..f500179292 100644
|
|
|
76240a |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
76240a |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
76240a |
@@ -43,7 +43,6 @@ CCE-85906-6
|
|
|
76240a |
CCE-85907-4
|
|
|
76240a |
CCE-85908-2
|
|
|
76240a |
CCE-85909-0
|
|
|
76240a |
-CCE-85910-8
|
|
|
76240a |
CCE-85911-6
|
|
|
76240a |
CCE-85912-4
|
|
|
76240a |
CCE-85913-2
|
|
|
76240a |
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
76240a |
index 7d59cfff62..72e205b695 100644
|
|
|
76240a |
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
|
76240a |
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
76240a |
@@ -24,6 +24,7 @@ documentation_complete: true
|
|
|
76240a |
reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
|
|
|
76240a |
selections:
|
|
|
76240a |
- account_disable_post_pw_expiration
|
|
|
76240a |
+- account_emergency_expire_date
|
|
|
76240a |
- account_temp_expire_date
|
|
|
76240a |
- accounts_have_homedir_login_defs
|
|
|
76240a |
- accounts_logon_fail_delay
|
|
|
76240a |
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
76240a |
index 2c2daad6f6..cc21621617 100644
|
|
|
76240a |
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
76240a |
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
76240a |
@@ -35,6 +35,7 @@ documentation_complete: true
|
|
|
76240a |
reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
|
|
|
76240a |
selections:
|
|
|
76240a |
- account_disable_post_pw_expiration
|
|
|
76240a |
+- account_emergency_expire_date
|
|
|
76240a |
- account_temp_expire_date
|
|
|
76240a |
- accounts_have_homedir_login_defs
|
|
|
76240a |
- accounts_logon_fail_delay
|