Big Sur - Automatically Remove or Disable Temporary User Accounts within 72 Hours

Information

The macOS is able to be configured to set an automated termination for 72 hours or less for all temporary accounts upon account creation.

If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be targeted by attackers to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts _MUST_ be set to 72 hours (or less) when the temporary account is created.

If no policy is enforced by a directory service, a password policy can be set with the "pwpolicy" utility. The variable names may vary depending on how the policy was set.

If there are no temporary accounts defined on the system, this is Not Applicable.

Solution

The technology inherently meets this requirement. No fix is required.

See Also

https://github.com/usnistgov/macos_security

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(2), CCE|CCE-85414-1

Plugin: Unix

Control ID: fd4e09b6e9289d368ab45698f15982ee19ac9785421dda90bb1d82dcc70cfda1