|
 |
fe0dde |
From 48d106a9a876b376b53cf28c896c6af74913f6f7 Mon Sep 17 00:00:00 2001
|
|
|
fe0dde |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
fe0dde |
Date: Tue, 15 Sep 2020 17:10:02 +0200
|
|
|
fe0dde |
Subject: [PATCH] Update text of rule account_disable_post_pw_expiration.
|
|
|
fe0dde |
|
|
|
fe0dde |
Remove hardcoded recommended value and make it more generic to be more
|
|
|
fe0dde |
aligned with RHEL7 STIG. The current text is from RHEL6 STIG.
|
|
|
fe0dde |
---
|
|
|
fe0dde |
.../rule.yml | 21 +++++++------------
|
|
|
fe0dde |
1 file changed, 8 insertions(+), 13 deletions(-)
|
|
|
fe0dde |
|
|
|
fe0dde |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
|
|
|
fe0dde |
index cfa59edd38..f92b6079c9 100644
|
|
|
fe0dde |
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
|
|
|
fe0dde |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
|
|
|
fe0dde |
@@ -7,20 +7,15 @@ title: 'Set Account Expiration Following Inactivity'
|
|
|
fe0dde |
description: |-
|
|
|
fe0dde |
To specify the number of days after a password expires (which
|
|
|
fe0dde |
signifies inactivity) until an account is permanently disabled, add or correct
|
|
|
fe0dde |
- the following lines in <tt>/etc/default/useradd</tt>, substituting
|
|
|
fe0dde |
- <tt>NUM_DAYS</tt> appropriately:
|
|
|
fe0dde |
+ the following line in <tt>/etc/default/useradd</tt>:
|
|
|
fe0dde |
INACTIVE={{{ xccdf_value("var_account_disable_post_pw_expiration") }}}
|
|
|
fe0dde |
- A value of 35 is recommended; however, this profile expects that the value is set to
|
|
|
fe0dde |
- <tt>{{{ xccdf_value("var_account_disable_post_pw_expiration") }}}</tt>.
|
|
|
fe0dde |
- If a password is currently on the
|
|
|
fe0dde |
- verge of expiration, then 35 days remain until the account is automatically
|
|
|
fe0dde |
- disabled. However, if the password will not expire for another 60 days, then 95
|
|
|
fe0dde |
- days could elapse until the account would be automatically disabled. See the
|
|
|
fe0dde |
- <tt>useradd</tt> man page for more information. Determining the inactivity
|
|
|
fe0dde |
- timeout must be done with careful consideration of the length of a "normal"
|
|
|
fe0dde |
- period of inactivity for users in the particular environment. Setting
|
|
|
fe0dde |
- the timeout too low incurs support costs and also has the potential to impact
|
|
|
fe0dde |
- availability of the system to legitimate users.
|
|
|
fe0dde |
+ If a password is currently on the verge of expiration, then
|
|
|
fe0dde |
+ <tt>{{{ xccdf_value("var_account_disable_post_pw_expiration") }}}</tt>
|
|
|
fe0dde |
+ day(s) remain(s) until the account is automatically
|
|
|
fe0dde |
+ disabled. However, if the password will not expire for another 60 days, then 60
|
|
|
fe0dde |
+ days plus <tt>{{{ xccdf_value("var_account_disable_post_pw_expiration") }}}</tt> day(s) could
|
|
|
fe0dde |
+ elapse until the account would be automatically disabled. See the
|
|
|
fe0dde |
+ <tt>useradd</tt> man page for more information.
|
|
|
fe0dde |
|
|
|
fe0dde |
rationale: |-
|
|
|
fe0dde |
Disabling inactive accounts ensures that accounts which may not
|