STIGQter: STIG Summary: SLES 12 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The SUSE operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration.

DISA Rule

SV-217136r603262_rule

Vulnerability Number

V-217136

Group Title

SRG-OS-000118-GPOS-00060

Rule Version

SLES-12-010340

Severity

CAT II

CCI(s)

• CCI-000795 - The organization manages information system identifiers by disabling the identifier after an organization-defined time period of inactivity.

Weight

10

Fix Recommendation

Configure the SUSE operating system to disable account identifiers after "35" days of inactivity after the password expiration.

Run the following command to change the configuration for "useradd" to disable the account identifier after "35" days:

# sudo useradd -D -f 35

DoD recommendation is "35" days, but a lower value greater than "0" is acceptable.

Check Contents

Verify the SUSE operating system disables account identifiers after "35" days of inactivity after the password expiration

Check the account inactivity value by performing the following command:

# sudo grep -i inactive /etc/default/useradd

INACTIVE=35

If "INACTIVE" is not set to a value greater than "0" and less than or equal to "35", this is a finding.

Vulnerability Number

V-217136

Documentable

False

Rule Version

SLES-12-010340

Severity Override Guidance

Verify the SUSE operating system disables account identifiers after "35" days of inactivity after the password expiration

Check the account inactivity value by performing the following command:

# sudo grep -i inactive /etc/default/useradd

INACTIVE=35

If "INACTIVE" is not set to a value greater than "0" and less than or equal to "35", this is a finding.

Check Content Reference

M

Target Key

4033

Comments