Set existing passwords a period of inactivity before they been locked

An XCCDF Rule

Description

Configure user accounts that have been inactive for over a given period of time to be automatically disabled by running the following command:

$ sudo chage --inactive 30USER

Rationale

Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies.

ID: xccdf_org.ssgproject.content_rule_accounts_set_post_pw_existing
Severity: Medium
References: DSS01.03 DSS03.05 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10

3.5.6

CCI-000017 CCI-000795

4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4

SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 6.2

A.12.4.1 A.12.4.3 A.18.1.4 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5

CIP-004-6 R2.2.2 CIP-004-6 R2.2.3 CIP-007-3 R.1.3 CIP-007-3 R5 CIP-007-3 R5.1.1 CIP-007-3 R5.1.3 CIP-007-3 R5.2.1 CIP-007-3 R5.2.3

AC-2(3) CM-6(a) IA-4(e)

DE.CM-1 DE.CM-3 PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7

Req-8.1.4

SRG-OS-000118-GPOS-00060

8.2.6

4.5.1.4
Updated: 8 months ago


var_account_disable_post_pw_expiration='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration" use="legacy"/>'


while IFS= read -r i; do
    chage --inactive $var_account_disable_post_pw_expiration $idone <   <(awk -v var="$var_account_disable_post_pw_expiration" -F: '(($7 > var || $7 == "") && $2 ~ /^\$/) {print $1}' /etc/shadow)

- name: XCCDF Value var_account_disable_post_pw_expiration # promote to variable
  set_fact:
    var_account_disable_post_pw_expiration: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration" use="legacy"/>
  tags:
    - always
- name: Collect users with not correct INACTIVE parameter set
  ansible.builtin.command:
    cmd: awk -F':' '(($7 > {{ var_account_disable_post_pw_expiration }} || $7 == "")
      && $2 ~ /^\$/) {print $1}' /etc/shadow
  register: user_names
  changed_when: false
  tags:
  - NIST-800-171-3.5.6
  - NIST-800-53-AC-2(3)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-4(e)
  - PCI-DSS-Req-8.1.4
  - PCI-DSSv4-8.2.6
  - accounts_set_post_pw_existing
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Change the period of inactivity
  ansible.builtin.command:
    cmd: chage --inactive {{ var_account_disable_post_pw_expiration }} {{ item }}
  with_items: '{{ user_names.stdout_lines }}'
  when: user_names is not skipped and user_names.stdout_lines | length > 0
  tags:
  - NIST-800-171-3.5.6
  - NIST-800-53-AC-2(3)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-4(e)
  - PCI-DSS-Req-8.1.4
  - PCI-DSSv4-8.2.6
  - accounts_set_post_pw_existing
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Set existing passwords a period of inactivity before they been locked

Description

Rationale

Remediation - Shell Script

Remediation - Ansible