Skip to content

Set existing passwords a period of inactivity before they been locked

An XCCDF Rule

Description

Configure user accounts that have been inactive for over a given period of time to be automatically disabled by running the following command:

$ sudo chage --inactive 30USER

Rationale

Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies.

ID
xccdf_org.ssgproject.content_rule_accounts_set_post_pw_existing
Severity
Medium
References
Updated



Remediation - Shell Script


var_account_disable_post_pw_expiration='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration" use="legacy"/>'


while IFS= read -r i; do
    chage --inactive $var_account_disable_post_pw_expiration $i

Remediation - Ansible

- name: XCCDF Value var_account_disable_post_pw_expiration # promote to variable
  set_fact:
    var_account_disable_post_pw_expiration: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration" use="legacy"/>
  tags:
    - always