Skip to content

Set Account Expiration Following Inactivity

An XCCDF Rule

Description

To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following line in /etc/default/useradd:

INACTIVE=
If a password is currently on the verge of expiration, then day(s) remain(s) until the account is automatically disabled. However, if the password will not expire for another 60 days, then 60 days plus day(s) could elapse until the account would be automatically disabled. See the useradd man page for more information.

Rationale

Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.

ID
xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration
Severity
Medium
References
Updated



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CJIS-5.6.2.1.1
  - DISA-STIG-RHEL-07-010310

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q shadow-utils; then

var_account_disable_post_pw_expiration='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration" use="legacy"/>'