← Back to Nutanix AOS 5.20.x OS Security Technical Implementation Guide

V-254207

CAT III (Low)

Nutanix AOS must be configured to disable user accounts after the password expires.

Rule ID

SV-254207r982189_rule

STIG

Nutanix AOS 5.20.x OS Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000795

Discussion

Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Operating systems need to track periods of inactivity and disable application identifiers after zero days of inactivity.

Check Content

Confirm Nutanix AOS is configured to disable user accounts after the password expires.

$ sudo grep -i inactive /etc/default/useradd
INACTIVE=0

If the value is not set to "0", is commented out, or is not defined, this is a finding.

Fix Text

Configure the system to disable inactive user accounts after the password expires by running the following command.

$ sudo salt-call state.sls security/CVM/pamCVM