mirror of
https://github.com/projectdiscovery/nuclei-templates.git
synced 2026-02-05 18:23:57 +08:00
42 lines
1.5 KiB
YAML
42 lines
1.5 KiB
YAML
id: inactive-password-lock-default
|
|
|
|
info:
|
|
name: Ensure Inactive Password Lock is Configured (Default Setting)
|
|
author: Th3l0newolf
|
|
severity: high
|
|
description: |
|
|
This policy ensures the default user inactivity lock is configured properly.User accounts that remain inactive for more than 45 days after password expiration should be disabled.
|
|
remediation: |
|
|
Ensure the default INACTIVE parameter is set to 45 days for new accounts.To configure, run: sudo useradd -D -f 45
|
|
reference:
|
|
- https://www.cisecurity.org/benchmark/ubuntu_linux
|
|
metadata:
|
|
verified: true
|
|
tags: cis,cisecurity,audit,linux,ubuntu,password
|
|
|
|
self-contained: true
|
|
|
|
code:
|
|
- engine:
|
|
- bash
|
|
args:
|
|
- "-c"
|
|
- |
|
|
INACTIVE_DAYS=$(useradd -D | grep -i INACTIVE | awk -F= '{print $2}')
|
|
if [ -z "$INACTIVE_DAYS" ] || [ "$INACTIVE_DAYS" -gt 45 ]; then
|
|
echo "[inactive-password-lock-default-check:Policy-Fail] [INACTIVE=$INACTIVE_DAYS (invalid)] [CIS_FAIL]"
|
|
else
|
|
echo "[inactive-password-lock-default-check:Policy-Pass] [INACTIVE=$INACTIVE_DAYS (valid)] [CIS_PASS]"
|
|
fi
|
|
|
|
matchers:
|
|
- type: word
|
|
name: policy-pass
|
|
words:
|
|
- "Policy-Pass"
|
|
|
|
- type: word
|
|
name: policy-fail
|
|
words:
|
|
- "Policy-Fail"
|
|
# digest: 4a0a0047304502205a5d16c61422ef5bb4c25952e034797f96ca7f551ae756cd24d67f370ea58f0e022100e39b90817f05a5cc517694676ad5b0653f2f1a848dad30c2325093f07028181a:922c64590222798bb761d5b6d8e72950 |