← Rules Catalog
mediumaccess-controlverified

Ensure temporary accounts expire within 72 hours

temporary-account-expiry · RHEL ≥ 8 · 1 impl

Description

Temporary user accounts must be configured to automatically expire within 72 hours of creation.

Rationale

Temporary accounts that are not promptly removed provide an attack surface for unauthorized access. Requiring expiration within 72 hours ensures these accounts are automatically disabled even if manual cleanup is overlooked.

Check → Remediate

Checkcommand
# Check for accounts with no expiry set (UID >= 1000, not locked)
# This checks that temporary accounts (expiry set) expire within 72 hours
# Note: Identifying which accounts are "temporary" requires site policy
# This check looks for any non-system accounts without an expiry date
accounts_no_expiry=""
while IFS=: read -r user _ uid _ _ home shell; do
  if [ "$uid" -ge 1000 ] 2>/dev/null && [ "$shell" != "/sbin/nologin" ] && [ "$shell" != "/bin/false" ]; then
    expiry=$(chage -l "$user" 2>/dev/null | grep "Account expires" | cut -d: -f2 | tr -d ' ')
    if [ "$expiry" = "never" ] || [ -z "$expiry" ]; then
      accounts_no_expiry="$accounts_no_expiry $user"
    fi
  fi
done < /etc/passwd
if [ -z "$accounts_no_expiry" ]; then
  echo "OK: All interactive accounts have an expiry date set"
  exit 0
fi
echo "INFO: Accounts without expiry (verify none are temporary):$accounts_no_expiry"
exit 0
expected_exit:
0
Remediatemanual
note:
For each temporary account, set an expiry date within 72 hours: chage -E $(date -d "+3 days" +%Y-%m-%d) <username> Verify all temporary accounts have appropriate expiry dates.

Framework references

STIG

V-281173 / RHEL-10-600140V-258047 / RHEL-09-411040V-230374

NIST 800-53

AC-2(2)AC-2(3)

Live verification

rhel8:checkrhel9:check
#user-accounts#temporary#expiry#account-management