CCE-95481-8Platform: cpe:/o:amazon:linux:2, cpe:/o:centos:centos:7, cpe:/o:oracle:linux:7, cpe:/o:oracle:linux:8, cpe:/o:redhat:enterprise_linux:7, cpe:/o:redhat:enterprise_linux:8, cpe:/o:redhat:enterprise_linux:9 | Date: (C)2021-03-05 (M)2023-07-04 |
Description
User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled.
Rationale
Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies.
Audit
Run the following command and verify INACTIVE is 30 or less:
# useradd -D | grep INACTIVE
INACTIVE=5
Verify all users with a password have Password inactive no more than 30 days after password expires:
# egrep ^[^:]+:[^!*] /etc/shadow | cut -d: -f1
# chage --list
Password inactive :
Remediation
Run the following command to set the default password inactivity period to 30 days:
# useradd -D -f 30
Modify user parameters for all users with a password set to match:
# chage --inactive 30
Notes
You can also check this setting in /etc/shadow directly. The 7th field should be 30 or less for all users with a password.
Parameter:
[30]
Technical Mechanism:
Run the following command to set the default password inactivity period to 30 days:
# useradd -D -f 30
Modify user parameters for all users with a password set to match:
# chage --inactive 30 user
CCSS Severity: | CCSS Metrics: |
CCSS Score : 8.1 | Attack Vector: NETWORK |
Exploit Score: 2.2 | Attack Complexity: HIGH |
Impact Score: 5.9 | Privileges Required: NONE |
Severity: HIGH | User Interaction: NONE |
Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:71983 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72927 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:84223 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:68632 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72349 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72821 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:73032 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72718 |