Skip to content

5.5.1.4 Ensure inactive password lock is 30 days or less

Audit#

Run the following command and verify INACTIVE conforms to sire policy (no more than 30 days): 

# useradd -D | grep INACTIVE
INACTIVE=30

Verify all users with a password have Password inactive no more than 30 days after password expires:

Run the following command and Review list of users and INACTIVE to verify that all users' INACTIVE conforms to site policy (no more than 30 days): 

# awk -F: '(/^[^:]+:[^!*]/ && ($7~/(\\s*$|-1)/ || $7>30)){print $1 " " $7}' /etc/shadow
No <user>:<INACTIVE> should be returned

Remediation#

Run the following command to set the default password inactivity period to 30 days: 

# useradd -D -f 30

Modify user parameters for all users with a password set to match: 

# chage --inactive 30 <user>

Default Value:

INACTIVE=-1