code/linux/audit/inactive-password-lock-default.yaml

id: inactive-password-lock-default

info:
  name: Ensure Inactive Password Lock is Configured (Default Setting)
  author: Th3l0newolf
  severity: high
  description: |
    This policy ensures the default user inactivity lock is configured properly.User accounts that remain inactive for more than 45 days after password expiration should be disabled.
  remediation: |
    Ensure the default INACTIVE parameter is set to 45 days for new accounts.To configure, run: sudo useradd -D -f 45
  reference:
    - https://www.cisecurity.org/benchmark/ubuntu_linux
  metadata:
    verified: true
  tags: cis,local,cisecurity,audit,linux,ubuntu,password

self-contained: true

code:
  - engine:
      - bash
    args:
      - "-c"
      - |
        INACTIVE_DAYS=$(useradd -D | grep -i INACTIVE | awk -F= '{print $2}')
        if [ -z "$INACTIVE_DAYS" ] || [ "$INACTIVE_DAYS" -gt 45 ]; then
          echo "[inactive-password-lock-default-check:Policy-Fail] [INACTIVE=$INACTIVE_DAYS (invalid)] [CIS_FAIL]"
        else
          echo "[inactive-password-lock-default-check:Policy-Pass] [INACTIVE=$INACTIVE_DAYS (valid)] [CIS_PASS]"
        fi

    matchers:
      - type: word
        name: policy-pass
        words:
          - "Policy-Pass"

      - type: word
        name: policy-fail
        words:
          - "Policy-Fail"
# digest: 4b0a00483046022100f3e5e3bb36176a8550312176a50c0d7938dd4f2f85ef28d7d5e7c24be37656d1022100cde95da0edd31265b7ef7145e309d7e5768146ab14079dd84f6d75e9b111041e:922c64590222798bb761d5b6d8e72950
file name, tags and Minor - changes 2025-08-19 18:03:12 +05:30			`id: inactive-password-lock-default`
Ubuntu Phase 3 more templates 2025-06-18 23:58:37 -07:00
			`info:`
			`name: Ensure Inactive Password Lock is Configured (Default Setting)`
			`author: Th3l0newolf`
			`severity: high`
			`description: \|`
file name, tags and Minor - changes 2025-08-19 18:03:12 +05:30			`This policy ensures the default user inactivity lock is configured properly.User accounts that remain inactive for more than 45 days after password expiration should be disabled.`
Ubuntu Phase 3 more templates 2025-06-18 23:58:37 -07:00			`remediation: \|`
fix-trail-lint-error 2025-08-19 18:38:32 +05:30			`Ensure the default INACTIVE parameter is set to 45 days for new accounts.To configure, run: sudo useradd -D -f 45`
Ubuntu Phase 3 more templates 2025-06-18 23:58:37 -07:00			`reference:`
			`- https://www.cisecurity.org/benchmark/ubuntu_linux`
			`metadata:`
			`verified: true`
Local tag - update 2025-08-28 23:41:32 +05:30			`tags: cis,local,cisecurity,audit,linux,ubuntu,password`
Ubuntu Phase 3 more templates 2025-06-18 23:58:37 -07:00
			`self-contained: true`

			`code:`
			`- engine:`
			`- bash`
			`args:`
			`- "-c"`
			`- \|`
			`INACTIVE_DAYS=$(useradd -D \| grep -i INACTIVE \| awk -F= '{print $2}')`
			`if [ -z "$INACTIVE_DAYS" ] \|\| [ "$INACTIVE_DAYS" -gt 45 ]; then`
file name, tags and Minor - changes 2025-08-19 18:03:12 +05:30			`echo "[inactive-password-lock-default-check:Policy-Fail] [INACTIVE=$INACTIVE_DAYS (invalid)] [CIS_FAIL]"`
Ubuntu Phase 3 more templates 2025-06-18 23:58:37 -07:00			`else`
file name, tags and Minor - changes 2025-08-19 18:03:12 +05:30			`echo "[inactive-password-lock-default-check:Policy-Pass] [INACTIVE=$INACTIVE_DAYS (valid)] [CIS_PASS]"`
Ubuntu Phase 3 more templates 2025-06-18 23:58:37 -07:00			`fi`

			`matchers:`
			`- type: word`
			`name: policy-pass`
			`words:`
			`- "Policy-Pass"`

			`- type: word`
			`name: policy-fail`
			`words:`
chore: sign templates 🤖 2025-08-21 12:45:03 +00:00			`- "Policy-Fail"`
chore: sign templates 🤖 2025-08-29 10:06:03 +00:00			`# digest: 4b0a00483046022100f3e5e3bb36176a8550312176a50c0d7938dd4f2f85ef28d7d5e7c24be37656d1022100cde95da0edd31265b7ef7145e309d7e5768146ab14079dd84f6d75e9b111041e:922c64590222798bb761d5b6d8e72950`