Securing dormant or temporarily unused user accounts is a best practice emphasized in the Security domain of CompTIA Linux+ V8. When a user goes on extended leave, the goal is to prevent unauthorized access while preserving the user’s data and account for future use.
The most effective approach is to disable authentication and interactive login access without deleting the account. Option D, running passwd -l user, locks the user’s password by prepending an invalid character to the encrypted password in /etc/shadow. This prevents password-based authentication while retaining the account, files, and ownership information. Linux+ V8 documentation highlights password locking as a standard method for temporarily disabling accounts.
Option F, changing the user’s shell to /sbin/nologin, further strengthens account security by preventing interactive shell access entirely. Even if another authentication mechanism were attempted, the user would be denied a login shell. This is a common defense-in-depth measure and is explicitly referenced in Linux+ V8 objectives for access control and account hardening.
The other options are incorrect or inappropriate. Option A (immutable files) does not prevent account access and may interfere with system operations. Option B defeats the purpose of securing an inactive account. Option C deletes user data, which is unnecessary and risky. Option E has no security effect, as filesystem timestamps do not control access.
Linux+ V8 stresses that secure account management should be reversible, auditable, and minimally disruptive. Locking the password and disabling the login shell meet these criteria and are commonly used together in enterprise environments.
Submit