5.5.1.4 Ensure inactive password lock is 30 days or less (Scored)

[shawndwells]

[yuumasato]

The INACTIVE setting is cheked by account_disable_post_pw_expiration. But actual list of users is not verified. I.E. if any user with passsword inactive for more than 30 days are inactive.

[redhatrises]

@yuumasato good point. Seems like CIS should break that out into it's own rule, but anyway, reading the rule from the CIS benchmark itself, I thought chage -l user can show inactivity.

[yuumasato]

~~I believe the check of existing userspasswords is covered by:~~ ~~-accounts_password_set_max_life_existing~~ ~~- accounts_password_set_min_life_existing`~~

~~I'll add them to CIS control files soon.~~

Edit: Actually, the rules I mention are about active interactive user, not inactive users.