NixOS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-268174 | ANIX-00-001930 | SV-268174r1039410_rule | Medium |
| Description |
| Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Operating systems need to track periods of inactivity and disable application identifiers after 35 days of inactivity. |
| STIG | Date |
| Anduril NixOS Security Technical Implementation Guide | 2024-10-25 |
Details
| Check Text (C-72098r1039408_chk) |
| Verify NixOS disables account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity with the following command: $ grep -i inactive /etc/default/useradd INACTIVE=35 If INACTIVE is not set to 35 or less, or is missing or commented out, this is a finding. |
| Fix Text (F-72001r1039409_fix) |
| Configure the NixOS operating system to disable inactive users. Add the following Nix code to the NixOS Configuration usually located in /etc/nixos/configuration.nix. Ensure that utils and lib modules are available { config, pkgs, lib, utils, ... }: environment.etc."/default/useradd".text = pkgs.lib.mkForce '' INACTIVE=35 ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch |