STIGQter: STIG Summary: Red Hat Enterprise Linux 7 Security Technical Implementation Guide Version: 3 Release: 3 Benchmark Date: 23 Apr 2021:

The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.

DISA Rule

SV-204426r603261_rule

Vulnerability Number

V-204426

Group Title

SRG-OS-000118-GPOS-00060

Rule Version

RHEL-07-010310

Severity

CAT II

CCI(s)

• CCI-000795 - The organization manages information system identifiers by disabling the identifier after an organization-defined time period of inactivity.

Weight

10

Fix Recommendation

Configure the operating system to disable account identifiers (individuals, groups, roles, and devices) after the password expires.

Add the following line to "/etc/default/useradd" (or modify the line to have the required value):

INACTIVE=0

Check Contents

If passwords are not being used for authentication, this is Not Applicable.

Verify the operating system disables account identifiers (individuals, groups, roles, and devices) after the password expires with the following command:

# grep -i inactive /etc/default/useradd
INACTIVE=0

If the value is not set to "0", is commented out, or is not defined, this is a finding.

Vulnerability Number

V-204426

Documentable

False

Rule Version

RHEL-07-010310

Severity Override Guidance

If passwords are not being used for authentication, this is Not Applicable.

Verify the operating system disables account identifiers (individuals, groups, roles, and devices) after the password expires with the following command:

# grep -i inactive /etc/default/useradd
INACTIVE=0

If the value is not set to "0", is commented out, or is not defined, this is a finding.

Check Content Reference

M

Target Key

2899

Comments