Unlocking User Accounts for Which Password Has Expired
To support the U.S. Department of Defense Joint Interoperability Test Command (JITC) requirements, when the security level of the CTP Series platforms is set as high, the JITC high security mode requires that the CTP device must automatically disable accounts after a 35-day period of account inactivity. This requirement- standard denotes that the passwords of all those user accounts that do not login to the CTP device or CTPView server for the past 35 days are locked. You can unlock those user accounts in compliance with the JITC specification.
A lockout warning message is displayed only for System Administrator and CTP Administrator accounts and not for other user accounts. The lockout warning messages are recorded in the network syslog file to inform the list of those system administrator accounts, which are due to be locked in next 10 days.
All the users authorized to access the syslog file can view the lockout warning messages. The lockout warning messages are started to be sent from 10 days before the date on which the account is bound to be locked. For example, when an account is due to be locked because of not having been accessed for the last 25 days, the first warning message is sent on 25th day, the second warning message is sent on the 26th day, and so on, until the 35th day is reached and the account is locked. All the users whose accounts are locked can request the system administrators or root access-privileged users to unlock the accounts for them.
A script “reset_pw_lock <user>” is added on the CTP device and the CTPView server. You can run the “reset_pw_lock <user>” script to unlock the user accounts.
Script to Monitor the Duration of Inactivity of User Accounts
The “activity_check” script file that is already available on the CTP Series platforms and CTPView server at the /etc/cron.daily/activity_check path is enhanced to send the lockout warning messages to the network syslog. Currently, this file is used to lock the user accounts after a 35-day period of account inactivity.
The following sequence of events occur with the “activity_check” script that is used for sending the lockout warning messages.
If the user account is not already locked, then the script identifies the date on which the user was logged in. If the user has not logged in for the last 25 days, and if the user is a system administrator, then a warning message is generated and transmitted to the syslog with the severity level of the log greater than 8.
If the user account is not already locked, then the script determines the date on which the user account was created. If the user has not logged in for the last 25 days, and if the user is a system administrator, then a warning message is generated and transmitted to the syslog with the severity level of the log greater than 8.
Script to Reset the Expired User Accounts
The reset_pw_lock script is added to the CTP device CTP Box and CTPView server in the /bin folder. This script can also be run in shell or CLI mode. With locked user accounts (in which the user cannot log in to shell), the user needs to manually change to single-user mode to run this script. The script can be run by entering the reset_pw_lock <user> command. The script unlocks the password of only the user specified in the command. With multiple users, you can enter the command as reset_pw_lock <user1> <user2> .... When you run this script, it unlocks the password of the specified user account, performs the mounting operations, and reboots the system. The activity_check script file is modified to send the lockout warning message to the network syslog. The reset_pw_lock script is added to unlock the password of disabled user accounts.