Ack
--
Shawn Wells
Technical Director,
U.S. Intelligence Programs
(e) shawn(a)redhat.com
(c) 443-534-0130
On Jun 28, 2012, at 9:38 AM, Jeffrey Blank <blank(a)eclipse.ncsc.mil> wrote:
We want to have them edit this text file since we want the setting
to
apply to ALL accounts by default when they are created.
Running chage on one account just sets it for that one account at that time.
That said, I can amend my commit prior to push to mention the existence
of chage in the enclosing <Group>, so that the information is there.
Sound good?
On 06/27/2012 06:45 PM, Shawn Wells wrote:
> On 6/27/12 6:35 PM, Jeffrey Blank wrote:
>> +<Rule id="account_disable_post_pw_expiration">
>> +<title>Set Account Expiration Following Inactivity</title>
>> +<description>To specify the number of days after a password expires
>> +(which signifies inactivity) until an
>> +account is permanently disabled, edit the file
>> <tt>/etc/defaults/useradd</tt>
>> +and add or correct the following lines, substituting
>> <tt><i>NUM_DAYS</i></tt> appropriately:
>> +<pre>INACTIVE=<i>NUM_DAYS</i></pre>
>> +A value of 35 is recommended. If a password is currently on the
>> +verge of expiration, then 35 days remain until the account is
>> automatically
>> +disabled. However, if the password will not expire for another 60
>> days, then 95
>> +days could elapse until the account would be automatically disabled.
>> See the
>> +<tt>useradd</tt> man page for more information. Determining the
>> inactivity
>> +timeout must be done with careful consideration of the length of a
>> "normal"
>> +period of inactivity for users in the particular environment. Setting
>> +the timeout too low incurs support costs and also has the potential
>> to impact
>> +availability of the system to legitimate users.
>> +</description>
>> +<rationale>
>
> nitpick. kinda.
>
> do we want to have them edit text files, or just issue a chage command ala
> # chage -I 35 shawn
>
> ^ that's an uppercase i
>
> and the idea of using this concept as the definition of 'inactive
> account' is novel, I haven't thought of this before!
> _______________________________________________
> scap-security-guide mailing list
> scap-security-guide(a)lists.fedorahosted.org
>
https://fedorahosted.org/mailman/listinfo/scap-security-guide
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/scap-security-guide