Details

The macOS _MUST_ be configured to disable accounts after 35 days of inactivity.

This rule prevents malicious users from making use of unused accounts to gain access to the system while avoiding detection.

Solution

This setting may be enforced using local policy or by a directory service.

To set local policy to disable an inactive user after 35 days, edit the current password policy to contain the following within the “policyCategoryAuthentication”:

[source,xml]
—-

policyContent
policyAttributeLastAuthenticationTime > policyAttributeCurrentTime – (policyAttributeInactiveDays * 24 * 60 * 60)
policyIdentifier
Inactive Account
policyParameters

policyAttributeInactiveDays
35


—-
After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of “$pwpolicy_file”.

[source,bash]
—-
/usr/bin/pwpolicy setaccountpolicies $pwpolicy_file
—-
NOTE: See the password policy supplemental on more information on how to implement password policies on macOS.

Supportive Information

The following resource is also helpful.

• https://github.com/usnistgov/macos_security

This security hardening control applies to the following category of controls within NIST 800-53: Access Control, Identification and Authentication.This control applies to the following type of system Unix.

References

• 800-53|AC-2(3)
• 800-53|IA-4
• 800-53|IA-4e.
• CCE|CCE-91028-1, CCI|CCI-000795

Source

• Tenable.com/audits