id: inactive-password-lock-default

info:
  name: Ensure Inactive Password Lock is Configured (Default Setting)
  author: Th3l0newolf
  severity: high
  description: |
    This policy ensures the default user inactivity lock is configured properly.User accounts that remain inactive for more than 45 days after password expiration should be disabled.
  remediation: |
    Ensure the default INACTIVE parameter is set to 45 days for new accounts.To configure, run: sudo useradd -D -f 45
  reference:
    - https://www.cisecurity.org/benchmark/ubuntu_linux
  metadata:
    verified: true
  tags: cis,local,cisecurity,audit,linux,ubuntu,password

self-contained: true

code:
  - engine:
      - bash
    args:
      - "-c"
      - |
        INACTIVE_DAYS=$(useradd -D | grep -i INACTIVE | awk -F= '{print $2}')
        if [ -z "$INACTIVE_DAYS" ] || [ "$INACTIVE_DAYS" -gt 45 ]; then
          echo "[inactive-password-lock-default-check:Policy-Fail] [INACTIVE=$INACTIVE_DAYS (invalid)] [CIS_FAIL]"
        else
          echo "[inactive-password-lock-default-check:Policy-Pass] [INACTIVE=$INACTIVE_DAYS (valid)] [CIS_PASS]"
        fi

    matchers:
      - type: word
        name: policy-pass
        words:
          - "Policy-Pass"

      - type: word
        name: policy-fail
        words:
          - "Policy-Fail"
# digest: 4b0a00483046022100f3e5e3bb36176a8550312176a50c0d7938dd4f2f85ef28d7d5e7c24be37656d1022100cde95da0edd31265b7ef7145e309d7e5768146ab14079dd84f6d75e9b111041e:922c64590222798bb761d5b6d8e72950