Set Account Expiration Following Inactivity
An XCCDF Rule
Description
To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following line in /etc/default/useradd
:
INACTIVE=If a password is currently on the verge of expiration, then
day(s) remain(s) until the account is automatically
disabled. However, if the password will not expire for another 60 days, then 60
days plus
day(s) could
elapse until the account would be automatically disabled. See the
useradd
man page for more information.
Rationale
Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.
- ID
- xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q shadow-utils; then
var_account_disable_post_pw_expiration='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration" use="legacy"/>'
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83627-0
- CJIS-5.6.2.1.1