mediumaccess-controlverified ✓
Ensure temporary accounts expire within 72 hours
temporary-account-expiry · RHEL ≥ 8 · 1 impl
Description
Temporary user accounts must be configured to automatically expire within 72 hours of creation.
Rationale
Temporary accounts that are not promptly removed provide an attack surface for unauthorized access. Requiring expiration within 72 hours ensures these accounts are automatically disabled even if manual cleanup is overlooked.
Check → Remediate
Checkcommand
# Check for accounts with no expiry set (UID >= 1000, not locked)
# This checks that temporary accounts (expiry set) expire within 72 hours
# Note: Identifying which accounts are "temporary" requires site policy
# This check looks for any non-system accounts without an expiry date
accounts_no_expiry=""
while IFS=: read -r user _ uid _ _ home shell; do
if [ "$uid" -ge 1000 ] 2>/dev/null && [ "$shell" != "/sbin/nologin" ] && [ "$shell" != "/bin/false" ]; then
expiry=$(chage -l "$user" 2>/dev/null | grep "Account expires" | cut -d: -f2 | tr -d ' ')
if [ "$expiry" = "never" ] || [ -z "$expiry" ]; then
accounts_no_expiry="$accounts_no_expiry $user"
fi
fi
done < /etc/passwd
if [ -z "$accounts_no_expiry" ]; then
echo "OK: All interactive accounts have an expiry date set"
exit 0
fi
echo "INFO: Accounts without expiry (verify none are temporary):$accounts_no_expiry"
exit 0
- expected_exit:
- 0
Remediatemanual
- note:
- For each temporary account, set an expiry date within 72 hours: chage -E $(date -d "+3 days" +%Y-%m-%d) <username> Verify all temporary accounts have appropriate expiry dates.
Framework references
STIG
V-281173 / RHEL-10-600140V-258047 / RHEL-09-411040V-230374
NIST 800-53
AC-2(2)AC-2(3)
Live verification
rhel8:checkrhel9:check
#user-accounts#temporary#expiry#account-management