5.4.1.5 Ensure inactive password lock is configured

Information

User accounts that have been inactive for over a given period of time can be automatically disabled.

INACTIVE - Defines the number of days after the password exceeded its maximum age where the user is expected to replace this password.

The value is stored in the shadow password file. An input of 0 will disable an expired password with no delay. An input of -1 will blank the respective field in the shadow password file.

Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies.

Solution

Run the following command to set the default password inactivity period to 45 days or less that meets local site policy:

# useradd -D -f <N>

Example:

# useradd -D -f 45

Run the following command to modify user parameters for all users with a password set to a inactive age of 45 days or less that follows local site policy:

# chage --inactive <N> <user>

Example:

# awk -F: '($2~/^$.+$/) {if($7 > 45 || $7 < 0)system ("chage --inactive 45 " $1)}' /etc/shadow

See Also

https://workbench.cisecurity.org/benchmarks/18208

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: 2f2f85a6a52f3f13523c289093338c36b58e8dad8f04d6e8571fe6f97e0511bb