OL6-00-000334 - Accounts must be locked upon 35 days of inactivity.

Information

Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.

Solution

To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in '/etc/default/useradd', substituting '[NUM_DAYS]' appropriately:

INACTIVE=[NUM_DAYS]

A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled.

See the 'useradd' man page for more information.

Determining the inactivity timeout must be done with careful consideration of the length of a 'normal' period of inactivity for users in the particular environment.

Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_6_V2R7_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(3), CAT|III, CCI|CCI-000017, Rule-ID|SV-209036r793757_rule, STIG-ID|OL6-00-000334, STIG-Legacy|SV-65339, STIG-Legacy|V-51129, Vuln-ID|V-209036

Plugin: Unix

Control ID: e32a2a315fc35be1b743ff12f60cea2fde07ead458656db2d76d6dc63ef696a0