Manage Account Lockout

1. In Tenable Core, log in to the shell via the Terminal page or the console.

2. Run the following command:

   sudo /usr/libexec/tenablecore/unlock_admins.py --confirm

   Note: If the system returns with "sudo: /usr/libexec/tenablecore/unlock_admins.py: command not found" refer to the following section: To change lockout settings.

Tip: Tenable strongly recommends that you enable account lockout if your internal policies allow it.

To check what a user’s current setting is:

1. In Tenable Core, log in to the shell via the Terminal page or the console.

2. Run the following command:

   chage -l <username> | grep 'Password inactive'

When locking is enabled for the named user, this outputs a date by which the password must be changed in order to avoid account lockout. For example:

Or, when locking is disabled for this user:

1. In Tenable Core, log in to the shell via the Terminal page or the console.

2. Run the following command, where <ndays> is the number of days after password expiration that the account should be locked (-1 for never):

   sudo chage -I <ndays> <username>

1. In Tenable Core, log in to the shell via the Terminal page or the console.

2. Run the following command:

   useradd -D | grep INACTIVE

3. If locking is enabled for 30 days (for example) after password expiration then this outputs:

   INACTIVE=30

   Or, if locking is disabled:

   INACTIVE=-1

1. In Tenable Core, log in to the shell via the Terminal page or the console.

2. Run the following command, where <ndays> is the default number of days after password expiration that accounts should be be locked (-1 for never):

   sudo useradd -D -f <ndays>