RHEL-07-010310 - The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.

Operating systems need to track periods of inactivity and disable application identifiers after 35 days of inactivity.

Solution

Configure the operating system to disable account identifiers (individuals, groups, roles, and devices) 35 days after the password expires.

Add the following line to '/etc/default/useradd' (or modify the line to have the required value):

INACTIVE=35
DoD recommendation is 35 days, but a lower value is acceptable. The value '-1' will disable this feature, and '0' will disable the account immediately after the password expires.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R10_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000795, Rule-ID|SV-204426r809190_rule, STIG-ID|RHEL-07-010310, STIG-Legacy|SV-86565, STIG-Legacy|V-71941, Vuln-ID|V-204426

Plugin: Unix

Control ID: 8a537b3a0f882072c1dec23a9552416649ef166e8f108bfa9aabb14a7c752c8b