{"description": "To specify the number of days after a password expires (which\nsignifies inactivity) until an account is permanently disabled, add or correct\nthe following line in <tt>/etc/default/useradd</tt>:\n<pre>INACTIVE=<i><sub idref=\"var_account_disable_post_pw_expiration\" /></i></pre>\nIf a password is currently on the verge of expiration, then\n<tt><sub idref=\"var_account_disable_post_pw_expiration\" /></tt>\nday(s) remain(s) until the account is automatically\ndisabled. However, if the password will not expire for another 60 days, then 60\ndays plus <tt><sub idref=\"var_account_disable_post_pw_expiration\" /></tt> day(s) could\nelapse until the account would be automatically disabled. See the\n<tt>useradd</tt> man page for more information.", "rationale": "Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system.\nDisabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.\nOwners of inactive accounts will not notice if unauthorized access to their user account has been obtained.", "severity": "medium", "references": {"cis-csc": ["1", "12", "13", "14", "15", "16", "18", "3", "5", "7", "8"], "cjis": ["5.6.2.1.1"], "cobit5": ["DSS01.03", "DSS03.05", "DSS05.04", "DSS05.05", "DSS05.07", "DSS05.10", "DSS06.03", "DSS06.10"], "cui": ["3.5.6"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 6.2"], "iso27001-2013": ["A.12.4.1", "A.12.4.3", "A.18.1.4", "A.6.1.2", "A.7.1.1", "A.9.1.2", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.1", "A.9.4.2", "A.9.4.3", "A.9.4.4", "A.9.4.5"], "nerc-cip": ["CIP-004-6 R2.2.2", "CIP-004-6 R2.2.3", "CIP-007-3 R.1.3", "CIP-007-3 R5", "CIP-007-3 R5.1.1", "CIP-007-3 R5.1.3", "CIP-007-3 R5.2.1", "CIP-007-3 R5.2.3"], "nist": ["IA-4(e)", "AC-2(3)", "CM-6(a)"], "nist-csf": ["DE.CM-1", "DE.CM-3", "PR.AC-1", "PR.AC-4", "PR.AC-6", "PR.AC-7"], "pcidss": ["Req-8.1.4"], "srg": ["SRG-OS-000118-GPOS-00060"], "cis": ["5.4.1.5"], "pcidss4": ["8.2.6", "8.2"], "stigid": ["UBTU-22-411035"], "stigref": ["SV-260547r1015009_rule"]}, "control_references": {"cis": ["5.4.1.5"], "pcidss4": ["8.2.6", "8.2"], "stigid": ["UBTU-22-411035"]}, "components": [], "identifiers": {}, "ocil_clause": "the value of INACTIVE is greater than the expected value or is -1", "ocil": "To verify the <tt>INACTIVE</tt> setting, run the following command:\n<pre>$ grep \"INACTIVE\" /etc/default/useradd</pre>\nThe output should indicate the <tt>INACTIVE</tt> configuration option is set\nto an appropriate integer as shown in the example below:\n<pre>$ grep \"INACTIVE\" /etc/default/useradd\nINACTIVE=<sub idref=\"var_account_disable_post_pw_expiration\" /></pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to disable account identifiers after <sub idref=\"var_account_disable_post_pw_expiration\" /> days of inactivity after the password expiration.\n\nRun the following command to change the configuration for useradd:\n\n$ sudo useradd -D -f <sub idref=\"var_account_disable_post_pw_expiration\" />\n\nA recommendation is <sub idref=\"var_account_disable_post_pw_expiration\" /> days, but a lower value is acceptable.\nThe value \"-1\" will disable this feature, and \"0\" will disable the account immediately after the password expires.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 Must Disable Account Identifiers (Individuals, Groups, Roles, And Devices) After 35 Days Of Inactivity.", "vuldiscussion": "Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system.\nDisabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.\nOwners of inactive accounts will not notice if unauthorized access to their user account has been obtained.", "checktext": "Verify that Ubuntu 22.04 account identifiers (individuals, groups, roles, and devices) are disabled after 35 days of inactivity with the following command:\n\nCheck the account inactivity value by performing the following command:\n\n$ sudo grep -i inactive /etc/default/useradd\n\nINACTIVE=35\n\nIf \"INACTIVE\" is set to \"-1\", a value greater than \"35\", or is commented out, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to disable account identifiers after 35 days of inactivity after the password expiration.\n\nRun the following command to change the configuration for useradd:\n\n$ sudo useradd -D -f 35\n\nA recommendation is 35 days, but a lower value is acceptable."}}, "platform": "package[shadow-utils]", "platforms": ["package[shadow-utils]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_shadow-utils"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Set Account Expiration Following Inactivity", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml", "template": null}