The macOS system must disable accounts after 35 days of inactivity.

An XCCDF Rule

Description

<VulnDiscussion>The macOS must be configured to disable accounts after 35 days of inactivity. This rule prevents malicious users from employing unused accounts to gain access to the system while avoiding detection. Satisfies: SRG-OS-000118-GPOS-00060, SRG-OS-000590-GPOS-00110</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-268549r1034798_rule
Severity: Medium
References: CCI-003627 CCI-003628
Updated: 17 days ago

Configure the macOS system to disable accounts after 35 days of inactivity with the following command:

This setting may be enforced using local policy or by a directory service.

To set local policy to disable an inactive user after 35 days, edit the current password policy to contain the following <dict> within the "policyCategoryAuthentication":
[source,xml]
----
<dict>
<key>policyContent</key>
<string>policyAttributeLastAuthenticationTime &gt; policyAttributeCurrentTime - (policyAttributeInactiveDays * 24 * 60 * 60)</string>
<key>policyIdentifier</key>
<string>Inactive Account</string>
<key>policyParameters</key>
<dict>
<key>policyAttributeInactiveDays</key>
<integer>35</integer>
</dict>
</dict>
----
After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file".

[source,bash]
----
/usr/bin/pwpolicy setaccountpolicies $pwpolicy_file
----

The macOS system must disable accounts after 35 days of inactivity.

Description

Remediation - Manual Procedure