STIGQter STIGQter: STIG Summary: Oracle Linux 6 Security Technical Implementation Guide Version: 1 Release: 17 Benchmark Date: 25 Oct 2019: The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity.

DISA Rule

SV-65341r1_rule

Vulnerability Number

V-51131

Group Title

SRG-OS-000118

Rule Version

OL6-00-000335

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in "/etc/default/useradd", substituting "[NUM_DAYS]" appropriately:

INACTIVE=[NUM_DAYS]

A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled.

See the "useradd" man page for more information.

Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment.

Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.

Check Contents

To verify the "INACTIVE" setting, run the following command:

grep "INACTIVE" /etc/default/useradd

The output should indicate the "INACTIVE" configuration option is set to an appropriate integer as shown in the example below:

# grep "INACTIVE" /etc/default/useradd
INACTIVE=35

If it does not, this is a finding.

Vulnerability Number

V-51131

Documentable

False

Rule Version

OL6-00-000335

Severity Override Guidance

To verify the "INACTIVE" setting, run the following command:

grep "INACTIVE" /etc/default/useradd

The output should indicate the "INACTIVE" configuration option is set to an appropriate integer as shown in the example below:

# grep "INACTIVE" /etc/default/useradd
INACTIVE=35

If it does not, this is a finding.

Check Content Reference

M

Target Key

2208

Comments