← Rules Catalog
mediumaccess-controlverified

Ensure inactive password lock is configured

password-inactive · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl

Description

Inactive password lock must be configured to disable unused accounts.

Rationale

Dormant accounts with valid passwords are attractive targets for attackers.

Check → Remediate

Checkcommand
val=$(useradd -D 2>/dev/null | grep -oP 'INACTIVE=\K-?\d+')
if [ -z "$val" ]; then
  echo "FAIL: INACTIVE not found in useradd defaults"
  exit 1
fi
if [ "$val" -lt 1 ] || [ "$val" -gt {{ account_inactive_days }} ]; then
  echo "FAIL: INACTIVE=$val (expected 1-{{ account_inactive_days }})"
  exit 1
fi
echo "OK: INACTIVE=$val"
exit 0
expected_exit:
0
Remediatecommand_exec
useradd -D -f 30

Framework references

CIS

rhel9 5.4.1.5rhel8 5.4.1.5rhel10 5.4.1.5

STIG

V-281175 / RHEL-10-600160V-258049 / RHEL-09-411050V-230373V-270683 / UBTU-24-200260V-260547 / UBTU-22-411035

NIST 800-53

AC-2IA-5AC-2(3)

Live verification

rhel10:checkrhel8:checkrhel9:checkubuntu22:checkubuntu24:check
#password#inactive#account