Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / linux / dda5fab96866d1684e0f9b5a3173b8bde196c341^! / .
commitdda5fab96866d1684e0f9b5a3173b8bde196c341[log] [tgz]
authorDmitry Teselkin <dteselkin@mirantis.com>Tue Oct 02 15:59:52 2018 +0300
committerDmitry Teselkin <dteselkin@mirantis.com>Tue Oct 02 16:32:44 2018 +0300
treec0cf36c9b4a67adae4431569b2289947aaac2ad0
parente4ea94f1bbc5430d0d1138c85837cc6948d0f3f0 [diff]
Drop CIS 5.4.1.4

CIS 5.4.1.4 should be configured in /etc/default/useradd

cis-5-4-1-4.yml attempts to configure this item in
pillar that relates to /etc/login.defs and should be removed.

Related-Prod: PROD-23600

Change-Id: Iea93a54a44df919c07001fc02e3551276ef9583c

diff --git a/metadata/service/system/cis/cis-5-4-1-4.yml b/metadata/service/system/cis/cis-5-4-1-4.yml
deleted file mode 100644
index 97a86af..0000000
--- a/metadata/service/system/cis/cis-5-4-1-4.yml
+++ /dev/null

@@ -1,51 +0,0 @@
-# CIS 5.4.1.4 Ensure inactive password lock is 30 days or less (Scored)
-#
-# Description
-# ===========
-# User accounts that have been inactive for over a given period of time can be
-# automatically disabled. It is recommended that accounts that are inactive
-# for 30 days after password expiration be disabled.
-#
-# Rationale
-# =========
-# Inactive accounts pose a threat to system security since the users are not
-# logging in to notice failed login attempts or other anomalies.
-#
-# Audit
-# =====
-# Run the following command and verify INACTIVE is 30 or less:
-#
-#   # useradd -D | grep INACTIVE
-#   INACTIVE=30
-#
-# Verify all users with a password have Password inactive no more than 30 days
-# after password expires:
-#
-#   # egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
-#   <list of users>
-#   # chage --list <user>
-#   Password inactive: <date>
-#
-# Remediation
-# ===========
-# Run the following command to set the default password inactivity period to
-# 30 days:
-#
-#   # useradd -D -f 30
-#
-# Modify user parameters for all users with a password set to match:
-#
-#   # chage --inactive 30 <user>
-#
-# Notes
-# =====
-# You can also check this setting in /etc/shadow directly. The 7th field
-# should be 30 or less for all users with a password.
-#
-parameters:
-  linux:
-    system:
-      login_defs:
-        INACTIVE:
-          value: 30
-

diff --git a/metadata/service/system/cis/init.yml b/metadata/service/system/cis/init.yml
index 26b7642..0c2626d 100644
--- a/metadata/service/system/cis/init.yml
+++ b/metadata/service/system/cis/init.yml

@@ -34,7 +34,6 @@
 - service.linux.system.cis.cis-5-4-1-1
 - service.linux.system.cis.cis-5-4-1-2
 - service.linux.system.cis.cis-5-4-1-3
-- service.linux.system.cis.cis-5-4-1-4
 - service.linux.system.cis.cis-5-4-4
 - service.linux.system.cis.cis-6-1-2
 - service.linux.system.cis.cis-6-1-3