7.6 Lock Inactive User Accounts

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Guidelines published by the U.S. Department of Defense specify that user accounts must be
locked out after 35 days of inactivity. This number may vary based on the particular site's
policy.

Rationale:

Inactive accounts pose a threat to system security since the users are not logging in to
notice failed login attempts or other anomalies.

Solution

Perform the following to implement the recommended state:

# useradd -D -f 35

To set this policy on a user account, use the command(s):

# usermod -f 35 [name]

To set this policy on a role account, use the command(s):

# rolemod -f 35 [name]

See Also

https://workbench.cisecurity.org/files/2582