User accounts must be locked after 35 days of inactivity.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-48079	SOL-11.1-040280	SV-60951r1_rule		Medium

Description
Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies.

STIG	Date
Solaris 11 X86 Security Technical Implementation Guide	2015-12-07

Details

Check Text ( C-50511r1_chk )
Determine whether the 35-day inactivity lock is configured properly. # useradd -D \| xargs -n 1 \| grep inactive \|\ awk -F= '{ print $2 }' If the command returns a result other than 35, this is a finding. The root role is required for the "logins" command. For each configured user name and role name on the system, determine whether a 35-day inactivity period is configured. Replace [username] with an actual user name or role name. # logins -axo -l [username] \| awk -F: '{ print $13 }' If these commands provide output other than 35, this is a finding.

Check Text ( C-50511r1_chk )

Determine whether the 35-day inactivity lock is configured properly.

# useradd -D | xargs -n 1 | grep inactive |\
awk -F= '{ print $2 }'

If the command returns a result other than 35, this is a finding.

The root role is required for the "logins" command.

For each configured user name and role name on the system, determine whether a 35-day inactivity period is configured. Replace [username] with an actual user name or role name.

# logins -axo -l [username] | awk -F: '{ print $13 }'

If these commands provide output other than 35, this is a finding.

Fix Text (F-51687r1_fix)
The root role is required. Perform the following to implement the recommended state: # useradd -D -f 35 To set this policy on a user account, use the command(s): # usermod -f 35 [username] To set this policy on a role account, use the command(s): # rolemod -f 35 [name]