7.6 Lock Inactive User Accounts

Information

Guidelines published by the U.S. Department of Defense specify that user accounts must be locked out after 35 days of inactivity. This number may vary based on the particular site's policy.

Rationale:

Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies.

Solution

Perform the following to implement the recommended state:

# useradd -D -f 35

To set this policy on a user account, use the command(s):

# usermod -f 35 [name]

To set this policy on a role account, use the command(s):

# rolemod -f 35 [name]

See Also

https://workbench.cisecurity.org/benchmarks/4777

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(3), CSCv7|16.2, CSCv7|16.9

Plugin: Unix

Control ID: 1d06c54ccb0a394849a4b6a6e102c8d3ba16f23be61fd43dea73308ce3ab5eef