======5.4.1.4 Ensure inactive password lock is 30 days or less (Scored)======
=====Profile Applicability=====  
<code>
Level 1 - Server
Level 1 - Workstation 
</code>

=====Description=====
User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled.

=====Rationale=====
Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies.

=====Audit===== 
Run the following command and verify ''INACTIVE'' is 30 or less:
<Code:bash>
# useradd -D | grep INACTIVE 
INACTIVE=35
</Code>
Verify all users with a password have Password inactive no more than 30 days after password expires:
<Code:bash>
# egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
<list of users> 
# chage --list <user> 
Password inactive : <date>
</Code>
=====Remediation===== 
Run the following command to set the default password inactivity period to 30 days:
<Code:bash>
# useradd -D -f 30
</Code>
Modify user parameters for all users with a password set to match:
<Code:bash>
# chage --inactive 30 <user>
</Code>
=====Notes===== 
You can also check this setting in ''/etc/shadow directly''. The 7th field should be 30 or less for all users with a password.