漏洞描述
This policy ensures the default user inactivity lock is configured properly.User accounts that remain inactive for more than 45 days after password expiration should be disabled.
inactive-password-lock-default: Ensure Inactive Password Lock is Configured (Default Setting)
PoC代码[已公开]
id: inactive-password-lock-default
info:
name: Ensure Inactive Password Lock is Configured (Default Setting)
author: Th3l0newolf
severity: high
description: |
This policy ensures the default user inactivity lock is configured properly.User accounts that remain inactive for more than 45 days after password expiration should be disabled.
remediation: |
Ensure the default INACTIVE parameter is set to 45 days for new accounts.To configure, run: sudo useradd -D -f 45
reference:
- https://www.cisecurity.org/benchmark/ubuntu_linux
metadata:
verified: true
tags: cis,local,cisecurity,audit,linux,ubuntu,password
self-contained: true
code:
- engine:
- bash
args:
- "-c"
- |
INACTIVE_DAYS=$(useradd -D | grep -i INACTIVE | awk -F= '{print $2}')
if [ -z "$INACTIVE_DAYS" ] || [ "$INACTIVE_DAYS" -gt 45 ]; then
echo "[inactive-password-lock-default-check:Policy-Fail] [INACTIVE=$INACTIVE_DAYS (invalid)] [CIS_FAIL]"
else
echo "[inactive-password-lock-default-check:Policy-Pass] [INACTIVE=$INACTIVE_DAYS (valid)] [CIS_PASS]"
fi
matchers:
- type: word
name: policy-pass
words:
- "Policy-Pass"
- type: word
name: policy-fail
words:
- "Policy-Fail"
# digest: 4b0a00483046022100f3e5e3bb36176a8550312176a50c0d7938dd4f2f85ef28d7d5e7c24be37656d1022100cde95da0edd31265b7ef7145e309d7e5768146ab14079dd84f6d75e9b111041e:922c64590222798bb761d5b6d8e72950