|
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152 |
- # CIS 5.4.1.1 Ensure password expiration is 90 days or less (Scored)
- #
- # Description
- # ===========
- # The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to
- # force passwords to expire once they reach a defined age. It is recommended
- # that the PASS_MAX_DAYS parameter be set to less than or equal to 90 days.
- #
- # Rationale
- # =========
- # The window of opportunity for an attacker to leverage compromised credentials
- # or successfully compromise credentials via an online brute force attack is
- # limited by the age of the password. Therefore, reducing the maximum age of a
- # password also reduces an attacker's window of opportunity.
- #
- # Audit
- # =====
- # Run the following command and verify PASS_MAX_DAYS is 90 or less:
- #
- # # grep PASS_MAX_DAYS /etc/login.defs
- # PASS_MAX_DAYS 90
- #
- # Verify all users with a password have their maximum days between password
- # change set to 90 or less:
- #
- # # egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
- # <list of users>
- # # chage --list <user>
- # Maximum number of days between password change: 90
- #
- # Remediation
- # ===========
- # Set the PASS_MAX_DAYS parameter to 90 in /etc/login.defs :
- #
- # PASS_MAX_DAYS 90
- #
- # Modify user parameters for all users with a password set to match:
- #
- # # chage --maxdays 90 <user>
- #
- # Notes
- # =====
- # You can also check this setting in /etc/shadow directly. The 5th field
- # should be 90 or less for all users with a password.
- #
- parameters:
- linux:
- system:
- login_defs:
- PASS_MAX_DAYS:
- value: 90
-
|