Verify the macOS system is configured to disable accounts after 35 days of inactivity with the following command:/usr/bin/pwpolicy -getaccountpolicies 2> /dev/null | /usr/bin/tail +2 | /usr/bin/xmllint --xpath '//dict/key[text()="policyAttributeInactiveDays"]/following-sibling::integer[1]/text()' -If the result is not "35", this is a finding.

Configure the macOS system to disable accounts after 35 days of inactivity with the following command:This setting may be enforced using local policy.To set local policy to disable an inactive user after 35 days, edit the current password policy to contain the following within the "policyCategoryAuthentication":[source,xml]----policyContentpolicyAttributeLastAuthenticationTime > policyAttributeCurrentTime - (policyAttributeInactiveDays * 24 * 60 * 60)policyIdentifierInactive AccountpolicyParameterspolicyAttributeInactiveDays35----After saving the file and exiting to the command prompt, run the following command to load the new policy file, substituting the path to the file in place of "$pwpolicy_file".[source,bash]----/usr/bin/pwpolicy setaccountpolicies $pwpolicy_file----