SLEM 5 must never automatically remove or disable emergency administrator accounts.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-261356 | SRG-OS-000123-GPOS-00064 | SLEM-05-411050 | SV-261356r996518_rule | 2024-06-04 | 1 |
| Description |
|---|
| Emergency administrator accounts, also known as "last resort" or "break glass" accounts, are local logon accounts enabled on the system for emergency use by authorized system administrators to manage a system when standard logon methods are failing or not available. Emergency accounts are not subject to manual removal or scheduled expiration requirements. |
| ℹ️ Check |
|---|
| Verify SLEM 5 is configured such that emergency administrator accounts are never automatically removed or disabled with the following command: Note: Root is typically the "account of last resort" on a system and is also used as the example emergency administrator account. If another account is being used as the emergency administrator account, the command should be used against that account. > sudo chage -l <emergency_administrator_account_name> | grep -E '(Password|Account) expires' Password expires: never Account expires: never If "Password expires" or "Account expires" is set to anything other than "never", this is a finding. |
| ✔️ Fix |
|---|
| Configure SLEM 5 to never automatically remove or disable emergency administrator accounts. > sudo chage -I -1 -M 99999 <emergency_administrator_account_name> |