{"description": "Verify the account identifiers (individuals, groups, roles, and devices) are disabled after\n<sub idref=\"var_account_disable_inactivity\" /> or less days of inactivity by\nchecking the account inactivity value with the following command:\n<pre>grep 'inactive\\|pam_unix' /etc/pam.d/password-auth | grep -w auth\n\nauth required pam_lastlog.so inactive=35\nauth sufficient pam_unix.so</pre>\nThe line with the inactive parameter should be placed before <tt>pam_unix.so</tt> module as in\nthe example output.", "rationale": "Inactive identifiers pose a risk to systems and applications because attackers may exploit an\ninactive identifier and potentially obtain undetected access to the system. Owners of inactive\naccounts will not notice if unauthorized access to their user account has been obtained.", "severity": "medium", "references": {"nist": ["IA-4(e)"], "srg": ["SRG-OS-000118-GPOS-00060"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the value of inactive is incorrect or is not set before pam_unix.so", "ocil": "To verify the <tt>inactive</tt> setting, run the following command:\n<pre>$ grep 'inactive\\|pam_unix' /etc/pam.d/system-auth | grep -w auth</pre>\nThe output should indicate the <tt>inactive</tt> configuration option is set\nto an appropriate integer between 1 and\n<sub idref=\"var_account_disable_inactivity\" />; and should appear\nbefore the <tt>pam_unix.so</tt> module as shown in the example below:\n<pre>$ grep 'inactive\\|pam_unix' /etc/pam.d/system-auth | grep -w auth\nauth required pam_lastlog.so inactive=<sub idref=\"var_account_disable_inactivity\" />\nauth sufficient pam_unix.so</pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to disable account identifiers after\n<sub idref=\"var_account_disable_inactivity\" /> days of inactivity.\nAdd or correct the following line in <tt>/etc/pam.d/system-auth</tt>:\n<pre>auth required pam_lastlog.so inactive=<i><sub idref=\"var_account_disable_inactivity\" /></i></pre>\nThis line should be placed before <tt>pam_unix.so</tt> module as in the line:\n<pre>auth sufficient pam_unix.so</pre>\nA recommendation is <sub idref=\"var_account_disable_inactivity\" /> days, but a\nlower value is acceptable.", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "If the system relies on <tt>authselect</tt> tool to manage PAM settings, the remediation\nwill also use <tt>authselect</tt> tool. However, if any manual modification was made in\nPAM files, the <tt>authselect</tt> integrity check will fail and the remediation will be\naborted in order to preserve intentional changes. In this case, an informative message will\nbe shown in the remediation report."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "package[pam]", "platforms": ["package[pam]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_pam"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Set Account Expiration Following Inactivity in system-auth", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_inactivity_system_auth/rule.yml", "template": null}