← Back to Anduril NixOS Security Technical Implementation Guide

V-268174

CAT II (Medium)

NixOS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.

Rule ID

SV-268174r1131156_rule

STIG

Anduril NixOS Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-003627

Discussion

Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Operating systems need to track periods of inactivity and disable application identifiers after 35 days of inactivity.

Check Content

Verify NixOS disables account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity with the following command:

$ grep -i inactive /etc/default/useradd

    INACTIVE=35

If INACTIVE is not set to 35 or less, or is missing or commented out, this is a finding.

Fix Text

Configure NixOS to disable inactive users.

Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:

Ensure the lib functions are available:
 { config, lib, ... }:

 environment.etc."/default/useradd".text = lib.mkForce
   ''
    INACTIVE=35
   '';

Rebuild and switch to the new NixOS configuration:
$ sudo nixos-rebuild switch