mediumaccess-controlverified ✓
Ensure inactive password lock is configured
password-inactive · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl
Description
Inactive password lock must be configured to disable unused accounts.
Rationale
Dormant accounts with valid passwords are attractive targets for attackers.
Check → Remediate
Checkcommand
val=$(useradd -D 2>/dev/null | grep -oP 'INACTIVE=\K-?\d+')
if [ -z "$val" ]; then
echo "FAIL: INACTIVE not found in useradd defaults"
exit 1
fi
if [ "$val" -lt 1 ] || [ "$val" -gt {{ account_inactive_days }} ]; then
echo "FAIL: INACTIVE=$val (expected 1-{{ account_inactive_days }})"
exit 1
fi
echo "OK: INACTIVE=$val"
exit 0
- expected_exit:
- 0
Remediatecommand_exec
useradd -D -f 30
Framework references
CIS
rhel9 5.4.1.5rhel8 5.4.1.5rhel10 5.4.1.5
STIG
V-281175 / RHEL-10-600160V-258049 / RHEL-09-411050V-230373V-270683 / UBTU-24-200260V-260547 / UBTU-22-411035
NIST 800-53
AC-2IA-5AC-2(3)
Live verification
rhel10:checkrhel8:checkrhel9:checkubuntu22:checkubuntu24:check
#password#inactive#account