@test "Verify INACTIVE in /etc/default/useradd" {
run bash -c "grep '^INACTIVE=35$' /etc/default/useradd"
[ "$status" -eq 0 ]
}Disable inactive accounts
Description
Accounts that have been inactive for a number of days after password expiration should be disabled.
The amount of days before expiration should be adapted to the organizational policy, but should not exceed 35 days.
Rationale
Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system.
Audit
useradd -D | grep '^INACTIVE'Remediation
shell
sed -i 's/^# INACTIVE=.*/INACTIVE=35/' "/etc/default/useradd"