Profile Applicability:
• Level 1
Description:
The inactive password lock setting defines the number of days after a password expires before the account is locked. Setting this value to 30 days or less ensures timely disabling of inactive accounts, reducing the risk of unauthorized access.
Rationale:
Enforcing a short inactive password lock period limits the window in which expired accounts can be exploited, enhancing system security by disabling stale accounts promptly.
Impact:
Pros:
Reduces risk from unused or compromised accounts.
Supports compliance with account management policies.
Cons:
May inadvertently lock accounts if users do not update passwords timely.
Default Value:
Inactive password lock period may vary and is sometimes not configured.
Pre-requisites:
Root or sudo privileges to configure account aging policies.
Remediation:
Test Plan:
Using Linux command line:
1. Check current inactive password lock settings for a user:
chage -l <username> | grep "Password inactive"
2. Review global defaults in /etc/login.defs if applicable:
grep INACTIVE /etc/login.defs
Implementation Plan:
Using Linux command line:
1. Set the inactive password lock period globally in /etc/login.defs:
vi /etc/login.defs
2. Update or add the line:
INACTIVE 30
3. For individual users, use chage:
chage -I 30 <username>
4. Verify settings:
chage -l <username>
Backout Plan:
Using Linux command line:
Increase the inactive password lock period if necessary by modifying /etc/login.defs and/or using chage.
Verify changes.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
chage Manual