5.4.1.4 Ensure inactive password lock is 30 days or less (Scored)

Level 1 - Server
Level 1 - Workstation 

User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled.

Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies.

Run the following command and verify INACTIVE is 30 or less:

# useradd -D | grep INACTIVE 
INACTIVE=35

Verify all users with a password have Password inactive no more than 30 days after password expires:

# egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
<list of users> 
# chage --list <user> 
Password inactive : <date>

Run the following command to set the default password inactivity period to 30 days:

# useradd -D -f 30

Modify user parameters for all users with a password set to match:

# chage --inactive 30 <user>

You can also check this setting in /etc/shadow directly. The 7th field should be 30 or less for all users with a password.

  • ubuntu1604/5/4/1/4.txt
  • Last modified: 2017/05/04 12:33
  • by 127.0.0.1