I just pushed with modification.
Willy may want to update mappings to some combination of CCIs 15, 16,
and 17 for some combinations of this new Group (account_expiration) and
Rule (account_disable_post_pw_expiration).
(And perhaps remove the "new rule needed" ref to CCI 17, and correct the
closing-tag comments for the Groups in srg_support.xml).
I figure it's easier to ask than to cross commits mid-stream...
Thanks!
On 06/28/2012 12:27 PM, Shawn Wells wrote:
Ack
--
Shawn Wells
Technical Director,
U.S. Intelligence Programs
(e) shawn(a)redhat.com
(c) 443-534-0130
On Jun 28, 2012, at 9:38 AM, Jeffrey Blank <blank(a)eclipse.ncsc.mil> wrote:
> We want to have them edit this text file since we want the setting to
> apply to ALL accounts by default when they are created.
>
> Running chage on one account just sets it for that one account at that time.
>
> That said, I can amend my commit prior to push to mention the existence
> of chage in the enclosing <Group>, so that the information is there.
>
> Sound good?
>
>
>
> On 06/27/2012 06:45 PM, Shawn Wells wrote:
>> On 6/27/12 6:35 PM, Jeffrey Blank wrote:
>>> +<Rule id="account_disable_post_pw_expiration">
>>> +<title>Set Account Expiration Following Inactivity</title>
>>> +<description>To specify the number of days after a password expires
>>> +(which signifies inactivity) until an
>>> +account is permanently disabled, edit the file
>>> <tt>/etc/defaults/useradd</tt>
>>> +and add or correct the following lines, substituting
>>> <tt><i>NUM_DAYS</i></tt> appropriately:
>>> +<pre>INACTIVE=<i>NUM_DAYS</i></pre>
>>> +A value of 35 is recommended. If a password is currently on the
>>> +verge of expiration, then 35 days remain until the account is
>>> automatically
>>> +disabled. However, if the password will not expire for another 60
>>> days, then 95
>>> +days could elapse until the account would be automatically disabled.
>>> See the
>>> +<tt>useradd</tt> man page for more information. Determining
the
>>> inactivity
>>> +timeout must be done with careful consideration of the length of a
>>> "normal"
>>> +period of inactivity for users in the particular environment. Setting
>>> +the timeout too low incurs support costs and also has the potential
>>> to impact
>>> +availability of the system to legitimate users.
>>> +</description>
>>> +<rationale>
>>
>> nitpick. kinda.
>>
>> do we want to have them edit text files, or just issue a chage command ala
>> # chage -I 35 shawn
>>
>> ^ that's an uppercase i
>>
>> and the idea of using this concept as the definition of 'inactive
>> account' is novel, I haven't thought of this before!
>> _______________________________________________
>> scap-security-guide mailing list
>> scap-security-guide(a)lists.fedorahosted.org
>>
https://fedorahosted.org/mailman/listinfo/scap-security-guide
> _______________________________________________
> scap-security-guide mailing list
> scap-security-guide(a)lists.fedorahosted.org
>
https://fedorahosted.org/mailman/listinfo/scap-security-guide
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/scap-security-guide