CIS 5.4.1.x
* CIS 5.4.1.1 Ensure password expiration is 90 days or less (Scored)
* CIS 5.4.1.2 Ensure minimum days between password changes is 7 or more (Scored)
* CIS 5.4.1.3 Ensure password expiration warning days is 7 or more (Scored)
* CIS 5.4.1.4 Ensure inactive password lock is 30 days or less (Scored)
Related-Prod: PROD-18386
Change-Id: I42697c31823c631acb1528ca917b39c069fb72bf
diff --git a/metadata/service/system/cis/cis-5-4-1-4.yml b/metadata/service/system/cis/cis-5-4-1-4.yml
new file mode 100644
index 0000000..97a86af
--- /dev/null
+++ b/metadata/service/system/cis/cis-5-4-1-4.yml
@@ -0,0 +1,51 @@
+# CIS 5.4.1.4 Ensure inactive password lock is 30 days or less (Scored)
+#
+# Description
+# ===========
+# User accounts that have been inactive for over a given period of time can be
+# automatically disabled. It is recommended that accounts that are inactive
+# for 30 days after password expiration be disabled.
+#
+# Rationale
+# =========
+# Inactive accounts pose a threat to system security since the users are not
+# logging in to notice failed login attempts or other anomalies.
+#
+# Audit
+# =====
+# Run the following command and verify INACTIVE is 30 or less:
+#
+# # useradd -D | grep INACTIVE
+# INACTIVE=30
+#
+# Verify all users with a password have Password inactive no more than 30 days
+# after password expires:
+#
+# # egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
+# <list of users>
+# # chage --list <user>
+# Password inactive: <date>
+#
+# Remediation
+# ===========
+# Run the following command to set the default password inactivity period to
+# 30 days:
+#
+# # useradd -D -f 30
+#
+# Modify user parameters for all users with a password set to match:
+#
+# # chage --inactive 30 <user>
+#
+# Notes
+# =====
+# You can also check this setting in /etc/shadow directly. The 7th field
+# should be 30 or less for all users with a password.
+#
+parameters:
+ linux:
+ system:
+ login_defs:
+ INACTIVE:
+ value: 30
+