>From cd7df036681d09a9aeb018fdc6d1b93d27cb3a83 Mon Sep 17 00:00:00 2001 From: Shawn Wells <sh...@redhat.com> Date: Wed, 19 Sep 2012 12:22:33 -0400 Subject: [PATCH 09/14] Created OCIL for account_disable_post_pw_expiration - Created OCIL for account_disable_post_pw_expiration
--- .../accounts/restrictions/account_expiration.xml | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/RHEL6/input/system/accounts/restrictions/account_expiration.xml b/RHEL6/input/system/accounts/restrictions/account_expiration.xml index 75ddadc..585b7ce 100644 --- a/RHEL6/input/system/accounts/restrictions/account_expiration.xml +++ b/RHEL6/input/system/accounts/restrictions/account_expiration.xml @@ -46,6 +46,12 @@ period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users. </description> +<ocil>To verify the <tt>INACTIVE</tt> setting, run the following command: +<pre>grep "INACTIVE" /etc/defaults/useradd</pre> +The output should indicate the <tt>INACTIVE</tt> configuration option is set +to an appropriate integer as shown in the example below: +<pre># grep "INACTIVE" /etc/defaults/useradd +INACTIVE=35</pre></ocil> <rationale> Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers -- 1.7.1
_______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
