Saltstack Official Linux Formula
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
|
- # CIS 5.4.1.4 Ensure inactive password lock is 30 days or less (Scored)
- #
- # Description
- # ===========
- # User accounts that have been inactive for over a given period of time can be
- # automatically disabled. It is recommended that accounts that are inactive
- # for 30 days after password expiration be disabled.
- #
- # Rationale
- # =========
- # Inactive accounts pose a threat to system security since the users are not
- # logging in to notice failed login attempts or other anomalies.
- #
- # Audit
- # =====
- # Run the following command and verify INACTIVE is 30 or less:
- #
- # # useradd -D | grep INACTIVE
- # INACTIVE=30
- #
- # Verify all users with a password have Password inactive no more than 30 days
- # after password expires:
- #
- # # egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
- # <list of users>
- # # chage --list <user>
- # Password inactive: <date>
- #
- # Remediation
- # ===========
- # Run the following command to set the default password inactivity period to
- # 30 days:
- #
- # # useradd -D -f 30
- #
- # Modify user parameters for all users with a password set to match:
- #
- # # chage --inactive 30 <user>
- #
- # Notes
- # =====
- # You can also check this setting in /etc/shadow directly. The 7th field
- # should be 30 or less for all users with a password.
- #
- parameters:
- linux:
- system:
- login_defs:
- INACTIVE:
- value: 30
|
