Blob Blame History Raw
From eed29b1db9dd62d014842340abb8601570fe6655 Mon Sep 17 00:00:00 2001
From: Carlos Matos <cmatos@redhat.com>
Date: Thu, 22 Jul 2021 14:26:49 -0400
Subject: [PATCH] New rule for RHEL-08-020270

---
 .../account_emergency_expire_date/rule.yml    | 52 +++++++++++++++++++
 products/rhel8/profiles/stig.profile          |  1 +
 shared/references/cce-redhat-avail.txt        |  1 -
 .../data/profile_stability/rhel8/stig.profile |  1 +
 .../profile_stability/rhel8/stig_gui.profile  |  1 +
 5 files changed, 55 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml
new file mode 100644
index 0000000000..a47c7f39bc
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml
@@ -0,0 +1,52 @@
+documentation_complete: true
+
+prodtype: fedora,rhel8
+
+title: 'Assign Expiration Date to Emergency Accounts'
+
+description: |-
+    Emergency accounts are privileged accounts established in response to
+    crisis situations where the need for rapid account activation is required.
+    In the event emergency accounts are required, configure the system to
+    terminate them after a documented time period. For every emergency account,
+    run the following command to set an expiration date on it, substituting
+    <tt><i>ACCOUNT_NAME</i></tt> and <tt><i>YYYY-MM-DD</i></tt>
+    appropriately:
+    <pre>$ sudo chage -E <i>YYYY-MM-DD ACCOUNT_NAME</i></pre>
+    <tt><i>YYYY-MM-DD</i></tt> indicates the documented expiration date for the
+    account. For U.S. Government systems, the operating system must be
+    configured to automatically terminate these types of accounts after a
+    period of 72 hours.
+
+rationale: |-
+    If emergency user accounts remain active when no longer needed or for
+    an excessive period, these accounts may be used to gain unauthorized access.
+    To mitigate this risk, automated termination of all emergency accounts
+    must be set upon account creation.
+    <br />
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-85910-8
+
+references:
+    cis-csc: 1,12,13,14,15,16,18,3,5,7,8
+    cobit5: DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS06.03
+    disa: CCI-000016,CCI-001682
+    isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4
+    isa-62443-2013: 'SR 1.1,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 6.2'
+    iso27001-2013: A.12.4.1,A.12.4.3,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
+    nist: AC-2(2),AC-2(3),CM-6(a)
+    nist-csf: DE.CM-1,DE.CM-3,PR.AC-1,PR.AC-4,PR.AC-6
+    srg: SRG-OS-000123-GPOS-00064,SRG-OS-000002-GPOS-00002
+    stigid@rhel8: RHEL-08-020270
+    vmmsrg: SRG-OS-000002-VMM-000020,SRG-OS-000123-VMM-000620
+
+ocil_clause: 'any emergency accounts have no expiration date set or do not expire within a documented time frame'
+
+ocil: |-
+    For every emergency account, run the following command
+    to obtain its account aging and expiration information:
+    <pre>$ sudo chage -l <i>ACCOUNT_NAME</i></pre>
+    Verify each of these accounts has an expiration date set as documented.
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 7270a8f91f..c4b9d02af5 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -558,6 +558,7 @@ selections:
     - account_disable_post_pw_expiration
 
     # RHEL-08-020270
+    - account_emergency_expire_date
 
     # RHEL-08-020280
     - accounts_password_pam_ocredit
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 665f903ead..f500179292 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -43,7 +43,6 @@ CCE-85906-6
 CCE-85907-4
 CCE-85908-2
 CCE-85909-0
-CCE-85910-8
 CCE-85911-6
 CCE-85912-4
 CCE-85913-2
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 7d59cfff62..72e205b695 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -24,6 +24,7 @@ documentation_complete: true
 reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
 selections:
 - account_disable_post_pw_expiration
+- account_emergency_expire_date
 - account_temp_expire_date
 - accounts_have_homedir_login_defs
 - accounts_logon_fail_delay
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index 2c2daad6f6..cc21621617 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -35,6 +35,7 @@ documentation_complete: true
 reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
 selections:
 - account_disable_post_pw_expiration
+- account_emergency_expire_date
 - account_temp_expire_date
 - accounts_have_homedir_login_defs
 - accounts_logon_fail_delay