STIGQter STIGQter: STIG Summary: Solaris 10 SPARC Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

Accounts must be locked upon 35 days of inactivity.

DISA Rule

SV-220024r603265_rule

Vulnerability Number

V-220024

Group Title

SRG-OS-000003

Rule Version

GEN000760

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

All inactive accounts will have /bin/false, /usr/bin/false, or /dev/null as the default shell in the /etc/passwd file and have the password disabled. Disable the inactive accounts. Examine the inactive accounts using the last command. Note the date of last login for each account. If any (other than system and application accounts) exceed 35 days, then disable them by placing a shell of /bin/false or /dev/null in the shell field of the passwd file entry for that account. An alternative, and preferable method, is to disable the account using smc or the passwd command.

# passwd -l < account to lock >

Check Contents

Indications of inactive accounts are those without entries in the last log. Check the date in the last log to verify it is within the last 35 days.

Obtain a listing of user accounts.
#cat /etc/passwd | cut -f1 -d ":"

Run the last command for each user account.
# last < user account >

If any user's account has not been accessed in the last 35 days and the account is not disabled via an entry in the password field in the /etc/passwd or /etc/shadow (or equivalent), check the /etc/passwd file to check if the account has a valid shell. If an inactive account is found that is not disabled, this is a finding.

Vulnerability Number

V-220024

Documentable

False

Rule Version

GEN000760

Severity Override Guidance

Indications of inactive accounts are those without entries in the last log. Check the date in the last log to verify it is within the last 35 days.

Obtain a listing of user accounts.
#cat /etc/passwd | cut -f1 -d ":"

Run the last command for each user account.
# last < user account >

If any user's account has not been accessed in the last 35 days and the account is not disabled via an entry in the password field in the /etc/passwd or /etc/shadow (or equivalent), check the /etc/passwd file to check if the account has a valid shell. If an inactive account is found that is not disabled, this is a finding.

Check Content Reference

M

Target Key

4060

Comments