Title

NixOS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. (Cat II impact)

Discussion

Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Operating systems need to track periods of inactivity and disable application identifiers after 35 days of inactivity.

Check Content

Verify NixOS disables account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity with the following command: $ grep -i inactive /etc/default/useradd INACTIVE=35 If INACTIVE is not set to 35 or less, or is missing or commented out, this is a finding.

Fix Text

Configure NixOS to disable inactive users. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: Ensure the lib functions are available: { config, lib, ... }: environment.etc."/default/useradd".text = lib.mkForce '' INACTIVE=35 ''; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

Additional Identifiers

Rule ID: SV-268174r1131156_rule

Vulnerability ID: V-268174

Group Title: SRG-OS-000118-GPOS-00060

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.