Major Hayden d0f4a70d9c V-3869{2,4}: Lock inactive accounts
Implements: blueprint security-hardening

Change-Id: I96ff7de8398c1fb60c73e169e597dd354121c05e
2015-10-22 07:57:31 -05:00

462 B

Opt-in required

By default, Ubuntu doesn't require that inactive accounts are locked after a period of time. The STIG requires that accounts with 35 days of activity are locked.

Deployers must opt-in for this change by setting the inactive_account_lock_days Ansible variable. The STIG requires this to be set to 35 days at a maximum. The Ansible tasks will not make any changes to /etc/default/useradd unless inactive_account_lock_days is set.