From d0f4a70d9c4d84c6d5915db88e70b381ea1263dc Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Fri, 9 Oct 2015 15:02:20 -0500
Subject: [PATCH] V-3869{2,4}: Lock inactive accounts

Implements: blueprint security-hardening

Change-Id: I96ff7de8398c1fb60c73e169e597dd354121c05e
---
 defaults/main.yml                      |  2 ++
 doc/source/developer-notes/V-38692.rst | 10 ++++++++++
 doc/source/developer-notes/V-38694.rst |  1 +
 tasks/auth.yml                         | 11 +++++++++++
 4 files changed, 24 insertions(+)
 create mode 100644 doc/source/developer-notes/V-38692.rst
 create mode 120000 doc/source/developer-notes/V-38694.rst

diff --git a/defaults/main.yml b/defaults/main.yml
index 9ac040e8..5fdb8603 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -179,6 +179,8 @@ admin_space_left_action: SUSPEND                  # V-54381
 # V-38684 - Setting the maximum number of simultaneous logins per user. The
 # STIG sets a limit of 10.
 #max_simultaneous_logins: 10                      # V-38684
+# V-38692 - Lock accounts that are inactive for 35 days.
+#inactive_account_lock_days: 35                   # V-38692
 
 ## Kernel modules
 # Set these booleans to 'yes' to disable the kernel module (following the
diff --git a/doc/source/developer-notes/V-38692.rst b/doc/source/developer-notes/V-38692.rst
new file mode 100644
index 00000000..0005bfeb
--- /dev/null
+++ b/doc/source/developer-notes/V-38692.rst
@@ -0,0 +1,10 @@
+**Opt-in required**
+
+By default, Ubuntu doesn't require that inactive accounts are locked after a
+period of time. The STIG requires that accounts with 35 days of activity are
+locked.
+
+Deployers must opt-in for this change by setting the
+``inactive_account_lock_days`` Ansible variable. The STIG requires this to be
+set to 35 days at a maximum. The Ansible tasks will not make any changes to
+``/etc/default/useradd`` unless ``inactive_account_lock_days`` is set.
diff --git a/doc/source/developer-notes/V-38694.rst b/doc/source/developer-notes/V-38694.rst
new file mode 120000
index 00000000..e16613ad
--- /dev/null
+++ b/doc/source/developer-notes/V-38694.rst
@@ -0,0 +1 @@
+V-38692.rst
\ No newline at end of file
diff --git a/tasks/auth.yml b/tasks/auth.yml
index 9eacfd70..a1999af7 100644
--- a/tasks/auth.yml
+++ b/tasks/auth.yml
@@ -300,3 +300,14 @@
     - auth
     - cat3
     - V-38681
+
+- name: V-38692 - Lock inactive accounts
+  lineinfile:
+    dest: /etc/default_useradd
+    regexp: "^(#)?INACTIVE"
+    line: "INACTIVE {{ inactive_account_lock_days }}"
+  when: inactive_account_lock_days is defined
+  tags:
+    - auth
+    - cat3
+    - V-38692