The operating system must manage information system identifiers for users and devices by disabling the user identifier after 35 days of inactivity.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-48083	SOL-11.1-040290	SV-60955r1_rule		Medium

Description
Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies.

STIG	Date
Solaris 11 SPARC Security Technical Implementation Guide	2017-03-02

Details

Check Text ( C-50515r1_chk )
Determine whether the 35-day inactivity lock is configured properly. # useradd -D \| xargs -n 1 \| grep inactive \|\ awk -F= '{ print $2 }' If the command returns a result other than 35, this is a finding. The root role is required for the "logins" command. For each configured user name and role name on the system, determine whether a 35-day inactivity period is configured. Replace [username] with an actual user name or role name. # logins -axo -l [username] \| awk -F: '{ print $13 }' If these commands provide output other than 35, this is a finding.

Check Text ( C-50515r1_chk )

Determine whether the 35-day inactivity lock is configured properly.

# useradd -D | xargs -n 1 | grep inactive |\
awk -F= '{ print $2 }'

If the command returns a result other than 35, this is a finding.

The root role is required for the "logins" command.

For each configured user name and role name on the system, determine whether a 35-day inactivity period is configured. Replace [username] with an actual user name or role name.

# logins -axo -l [username] | awk -F: '{ print $13 }'

If these commands provide output other than 35, this is a finding.

Fix Text (F-51691r1_fix)
The root role is required. Perform the following to implement the recommended state: # useradd -D -f 35 To set this policy on a user account, use the command(s): # usermod -f 35 [username] To set this policy on a role account, use the command(s): # rolemod -f 35 [name]