id: inactive-password-lock-default

info:
  name: Ensure Inactive Password Lock is Configured (Default Setting)
  author: Th3l0newolf
  severity: high
  description: |
    This policy ensures the default user inactivity lock is configured properly.User accounts that remain inactive for more than 45 days after password expiration should be disabled.
  remediation: |
    Ensure the default INACTIVE parameter is set to 45 days for new accounts.To configure, run: sudo useradd -D -f 45
  reference:
    - https://www.cisecurity.org/benchmark/ubuntu_linux
  metadata:
    verified: true
  tags: cis,cisecurity,audit,linux,ubuntu,password

self-contained: true

code:
  - engine:
      - bash
    args:
      - "-c"
      - |
        INACTIVE_DAYS=$(useradd -D | grep -i INACTIVE | awk -F= '{print $2}')
        if [ -z "$INACTIVE_DAYS" ] || [ "$INACTIVE_DAYS" -gt 45 ]; then
          echo "[inactive-password-lock-default-check:Policy-Fail] [INACTIVE=$INACTIVE_DAYS (invalid)] [CIS_FAIL]"
        else
          echo "[inactive-password-lock-default-check:Policy-Pass] [INACTIVE=$INACTIVE_DAYS (valid)] [CIS_PASS]"
        fi

    matchers:
      - type: word
        name: policy-pass
        words:
          - "Policy-Pass"

      - type: word
        name: policy-fail
        words:
          - "Policy-Fail"
# digest: 4a0a0047304502205a5d16c61422ef5bb4c25952e034797f96ca7f551ae756cd24d67f370ea58f0e022100e39b90817f05a5cc517694676ad5b0653f2f1a848dad30c2325093f07028181a:922c64590222798bb761d5b6d8e72950