The macOS system must disable accounts after 35 days of inactivity.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259552	APPL-14-003080	SV-259552r941278_rule		Medium

Description
The macOS must be configured to disable accounts after 35 days of inactivity. This rule prevents malicious users from making use of unused accounts to gain access to the system while avoiding detection.

STIG	Date
Apple macOS 14 (Sonoma) Security Technical Implementation Guide	2024-01-10

Details

Check Text ( C-63291r941276_chk )
Verify the macOS system is configured to disable accounts after 35 days of inactivity with the following command: /usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeInactiveDays"]/following-sibling::integer[1]/text()' - If the result is not "35", this is a finding.

Fix Text (F-63199r941277_fix)

Configure the macOS system to disable accounts after 35 days of inactivity with the following command: This setting may be enforced using local policy or by a directory service. To set local policy to disable an inactive user after 35 days, edit the current password policy to contain the following within the "policyCategoryAuthentication": [source,xml] ---- policyContent policyAttributeLastAuthenticationTime > policyAttributeCurrentTime - (policyAttributeInactiveDays * 24 * 60 * 60) policyIdentifier Inactive Account policyParameters policyAttributeInactiveDays 35 ---- After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file". [source,bash] ---- /usr/bin/pwpolicy setaccountpolicies $pwpolicy_file ---- Note: Refer to the password policy supplemental on more information on how to implement password policies on macOS.