Detections
Analytics

1.131 APPL-14-003080

Information

The macOS system must disable accounts after 35 days of inactivity.

GROUP ID: V-259552RULE ID: SV-259552r1038915

The macOS must be configured to disable accounts after 35 days of inactivity.

This rule prevents malicious users from making use of unused accounts to gain access to the system while avoiding detection.

Solution

Configure the macOS system to disable accounts after 35 days of inactivity with the following command.

This setting may be enforced using local policy or by a directory service.

To set local policy to disable an inactive user after 35 days, edit the current password policy to contain the following within the "policyCategoryAuthentication":

[source,xml]

[source,bash]

/usr/bin/pwpolicy setaccountpolicies $pwpolicy_file

See Also

https://workbench.cisecurity.org/benchmarks/24070

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-4e., CAT|II, CCI|CCI-000795, CCI|CCI-003627, CCI|CCI-003628, Rule-ID|SV-259552r1038915_rule, STIG-ID|APPL-14-003080, Vuln-ID|V-259552

Plugin: Unix

Control ID: 94a53e6b11dcf03838f4acd9cd8113d7106adee7162ae7f1000045f330e2bc92