| Verify the account identifiers (individuals, groups, roles, and devices) are disabled after 35 days of inactivity by checking the account inactivity value with the following command: |
$ sudo grep 'inactive\|pam_unix' /etc/pam.d/password-auth | grep -w auth
auth required pam_lastlog.so inactive=35
auth sufficient pam_unix.so
If the pam_lastlog.so module is listed below the pam_unix.so module in the "password-auth" file, this is a finding.
If the value of "inactive" is set to zero, a negative number, or is greater than 35, this is a finding.
If the line is commented out or missing, ask the administrator to indicate how the system disables access for account identifiers. If there is no evidence that the system is disabling access for account identifiers after 35 days of inactivity, this is a finding.