---

{{ if .Vars.ubtu24cis_level_1 }}
  {{ if .Vars.ubtu24cis_rule_5_4_1_5 }}
command:
  inactive_passwd:
    title: 5.4.1.5 | Ensure inactive password lock is configured | password
    exec: useradd -D | grep INACTIVE
    exit-status: 0
    stdout:
    - '/^INACTIVE=([1-9]|[1-3][0-9]|4[0-5])$/'
    - '!/INACTIVE=(-1|4[6-9]|[5-9][0-9]{1,})/'
    meta:
      server: 1
      workstation: 1
      CIS_ID:
      - 5.4.1.5
      CISv8: 5.2
      CISv8_IG1: true
      CISv8_IG2: true
      CISv8_IG3: true
      NIST800-53R5: NA
  inactive_users:
    title: 5.4.1.5 | Ensure inactive password lock is configured | users
    exec: "cat /etc/shadow | grep -v '!*' | awk -F':' '{ if ($7 > 45 ){ print $1 } }'"
    stdout:
    - '!/.*/'
    exit-status: 0
    meta:
      server: 1
      workstation: 1
      CIS_ID:
      - 5.4.1.5
      CISv8: 5.2
      CISv8_IG1: true
      CISv8_IG2: true
      CISv8_IG3: true
      NIST800-53R5: NA
  {{ end }}
{{ end }}