Set existing passwords a period of inactivity before they been locked
Description
Configure user accounts that have been inactive for over a given period of time
to be automatically disabled by running the following command:
$ sudo chage --inactive 30*USER*
Rationale
Inactive accounts pose a threat to system security since the users are not logging in to
notice failed login attempts or other anomalies.
Shell script
The following script can be run on the host to remediate the issue.
var\_account\_disable\_post\_pw\_expiration='30'
while IFS= read -r i; do
chage --inactive $var\_account\_disable\_post\_pw\_expiration $i
done < <(awk -v var="$var\_account\_disable\_post\_pw\_expiration" -F: '(($7 > var || $7 == "") && $2 ~ /^\$/) {print $1}' /etc/shadow)
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: XCCDF Value var\_account\_disable\_post\_pw\_expiration # promote to variable
set\_fact:
var\_account\_disable\_post\_pw\_expiration: !!str 30
tags:
- always
- name: Collect users with not correct INACTIVE parameter set
ansible.builtin.command:
cmd: awk -F':' '(($7 > {{ var\_account\_disable\_post\_pw\_expiration }} || $7 == "")
&& $2 ~ /^\$/) {print $1}' /etc/shadow
register: user\_names
changed\_when: false
tags:
- CCE-86757-2
- NIST-800-171-3.5.6
- NIST-800-53-AC-2(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-4(e)
- PCI-DSS-Req-8.1.4
- accounts\_set\_post\_pw\_existing
- low\_complexity
- low\_disruption
- medium\_severity
- no\_reboot\_needed
- restrict\_strategy
- name: Change the period of inactivity
ansible.builtin.command:
cmd: chage --inactive {{ var\_account\_disable\_post\_pw\_expiration }} {{ item }}
with\_items: '{{ user\_names.stdout\_lines }}'
when: user\_names.stdout\_lines | length > 0
tags:
- CCE-86757-2
- NIST-800-171-3.5.6
- NIST-800-53-AC-2(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-4(e)
- PCI-DSS-Req-8.1.4
- accounts\_set\_post\_pw\_existing
- low\_complexity
- low\_disruption
- medium\_severity
- no\_reboot\_needed
- restrict\_strategy
