Skip to content

5.4.1.5 Ensure inactive password lock is configured

Audit#

Run the following command and verify INACTIVE conforms to site policy (no more than 45 days): 

# useradd -D | grep INACTIVE
INACTIVE=45

Verify all users with a password have Password inactive no more than 45 days after password expires Run the following command and Review list of users and INACTIVE to verify that all users INACTIVE conforms to site policy (no more than 45 days): 

# awk -F: '($2~/^\$.+\$/) {if($7 > 45 || $7 < 0)print "User: " $1 " INACTIVE:" $7}' /etc/shadow
Nothing should be returned

Remediation#

Run the following command to set the default password inactivity period to 45 days or less that meets local site policy: 

# useradd -D -f <N>

Example: 

# useradd -D -f 45

Run the following command to modify user parameters for all users with a password set to a inactive age of 45 days or less that follows local site policy: 

# chage --inactive <N> <user>

Example: 

# awk -F: '($2~/^\$.+\$/) {if($7 > 45 || $7 < 0)system ("chage --inactive 45" $1)}' /etc/shadow

Default Value: INACTIVE=-1