# CIS 5.4.1.4 Ensure inactive password lock is 30 days or less (Scored)
#
# Description
# ===========
# User accounts that have been inactive for over a given period of time can be
# automatically disabled. It is recommended that accounts that are inactive
# for 30 days after password expiration be disabled.
#
# Rationale
# =========
# Inactive accounts pose a threat to system security since the users are not
# logging in to notice failed login attempts or other anomalies.
#
# Audit
# =====
# Run the following command and verify INACTIVE is 30 or less:
#
#   # useradd -D | grep INACTIVE
#   INACTIVE=30
#
# Verify all users with a password have Password inactive no more than 30 days
# after password expires:
#
#   # egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
#   <list of users>
#   # chage --list <user>
#   Password inactive: <date>
#
# Remediation
# ===========
# Run the following command to set the default password inactivity period to
# 30 days:
#
#   # useradd -D -f 30
#
# Modify user parameters for all users with a password set to match:
#
#   # chage --inactive 30 <user>
#
# Notes
# =====
# You can also check this setting in /etc/shadow directly. The 7th field
# should be 30 or less for all users with a password.
#
parameters:
  linux:
    system:
      login_defs:
        INACTIVE:
          value: 30