CIS 5.4.1.x

* CIS 5.4.1.1 Ensure password expiration is 90 days or less (Scored)
* CIS 5.4.1.2 Ensure minimum days between password changes is 7 or more (Scored)
* CIS 5.4.1.3 Ensure password expiration warning days is 7 or more (Scored)
* CIS 5.4.1.4 Ensure inactive password lock is 30 days or less (Scored)

Related-Prod: PROD-18386

Change-Id: I42697c31823c631acb1528ca917b39c069fb72bf

metadata/service/system/cis/cis-5-4-1-1.yml

@@ -0,0 +1,52 @@
+# CIS 5.4.1.1 Ensure password expiration is 90 days or less (Scored)
+#
+# Description
+# ===========
+# The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to
+# force passwords to expire once they reach a defined age. It is recommended
+# that the PASS_MAX_DAYS parameter be set to less than or equal to 90 days.
+#
+# Rationale
+# =========
+# The window of opportunity for an attacker to leverage compromised credentials
+# or successfully compromise credentials via an online brute force attack is
+# limited by the age of the password. Therefore, reducing the maximum age of a
+# password also reduces an attacker's window of opportunity.
+#
+# Audit
+# =====
+# Run the following command and verify PASS_MAX_DAYS is 90 or less:
+#
+#   # grep PASS_MAX_DAYS /etc/login.defs
+#   PASS_MAX_DAYS 90
+#
+# Verify all users with a password have their maximum days between password
+# change set to 90 or less:
+#
+#   # egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
+#   <list of users>
+#   # chage --list <user>
+#   Maximum number of days between password change: 90
+#
+# Remediation
+# ===========
+# Set the PASS_MAX_DAYS parameter to 90 in /etc/login.defs :
+#
+#   PASS_MAX_DAYS 90
+#
+# Modify user parameters for all users with a password set to match:
+#
+#   # chage --maxdays 90 <user>
+#
+# Notes
+# =====
+# You can also check this setting in /etc/shadow directly. The 5th field
+# should be 90 or less for all users with a password.
+#
+parameters:
+  linux:
+    system:
+      login_defs:
+        PASS_MAX_DAYS:
+          value: 90
+

metadata/service/system/cis/cis-5-4-1-2.yml

@@ -0,0 +1,52 @@
+# CIS 5.4.1.2 Ensure minimum days between password changes is 7 or more (Scored)
+#
+# Description
+# ===========
+# The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to
+# prevent users from changing their password until a minimum number of days
+# have passed since the last time the user changed their password. It is
+# recommended that PASS_MIN_DAYS parameter be set to 7 or more days.
+#
+# Rationale
+# =========
+# By restricting the frequency of password changes, an administrator can
+# prevent users from repeatedly changing their password in an attempt to
+# circumvent password reuse controls.
+#
+# Audit
+# =====
+# Run the following command and verify PASS_MIN_DAYS is 7 or more:
+#
+#   # grep PASS_MIN_DAYS /etc/login.defs
+#   PASS_MIN_DAYS 7
+#
+# Verify all users with a password have their minimum days between password
+# change set to 7 or more:
+#
+#   # egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
+#   <list of users>
+#   # chage --list <user>
+#   Minimum number of days between password change: 7
+#
+# Remediation
+# ===========
+# Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs :
+#
+#   PASS_MIN_DAYS 7
+#
+# Modify user parameters for all users with a password set to match:
+#
+#   # chage --mindays 7 <user>
+#
+# Notes
+# =====
+# You can also check this setting in /etc/shadow directly. The 5th field
+# should be 7 or more for all users with a password.
+#
+parameters:
+  linux:
+    system:
+      login_defs:
+        PASS_MIN_DAYS:
+          value: 7
+

metadata/service/system/cis/cis-5-4-1-3.yml

@@ -0,0 +1,52 @@
+# CIS 5.4.1.3 Ensure password expiration warning days is 7 or more (Scored)
+#
+# Description
+# ===========
+# The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to
+# notify users that their password will expire in a defined number of days.
+# It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days.
+#
+# Rationale
+# =========
+# Providing an advance warning that a password will be expiring gives users
+# time to think of a secure password. Users caught unaware may choose a simple
+# password or write it down where it may be discovered.
+#
+# Audit
+# =====
+# Run the following command and verify PASS_WARN_AGE is 7 or more:
+#
+#   # grep PASS_WARN_AGE /etc/login.defs
+#   PASS_WARN_AGE 7
+#
+# Verify all users with a password have their number of days of warning before
+# password expires set to 7 or more:
+#
+#   # egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
+#   <list of users>
+#   # chage --list <user>
+#   Number of days of warning before password expires: 7
+#
+# Remediation
+# ===========
+#
+# Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs :
+#
+#   PASS_WARN_AGE 7
+#
+# Modify user parameters for all users with a password set to match:
+#
+#   # chage --warndays 7 <user>
+#
+# Notes
+# =====
+# You can also check this setting in /etc/shadow directly. The 6th field
+# should be 7 or more for all users with a password.
+#
+parameters:
+  linux:
+    system:
+      login_defs:
+        PASS_WARN_AGE:
+          value: 7
+

metadata/service/system/cis/cis-5-4-1-4.yml

@@ -0,0 +1,51 @@
+# CIS 5.4.1.4 Ensure inactive password lock is 30 days or less (Scored)
+#
+# Description
+# ===========
+# User accounts that have been inactive for over a given period of time can be
+# automatically disabled. It is recommended that accounts that are inactive
+# for 30 days after password expiration be disabled.
+#
+# Rationale
+# =========
+# Inactive accounts pose a threat to system security since the users are not
+# logging in to notice failed login attempts or other anomalies.
+#
+# Audit
+# =====
+# Run the following command and verify INACTIVE is 30 or less:
+#
+#   # useradd -D | grep INACTIVE
+#   INACTIVE=30
+#
+# Verify all users with a password have Password inactive no more than 30 days
+# after password expires:
+#
+#   # egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
+#   <list of users>
+#   # chage --list <user>
+#   Password inactive: <date>
+#
+# Remediation
+# ===========
+# Run the following command to set the default password inactivity period to
+# 30 days:
+#
+#   # useradd -D -f 30
+#
+# Modify user parameters for all users with a password set to match:
+#
+#   # chage --inactive 30 <user>
+#
+# Notes
+# =====
+# You can also check this setting in /etc/shadow directly. The 7th field
+# should be 30 or less for all users with a password.
+#
+parameters:
+  linux:
+    system:
+      login_defs:
+        INACTIVE:
+          value: 30
+

metadata/service/system/cis/init.yml

@@ -31,6 +31,10 @@ classes:
 - service.linux.system.cis.cis-3-5-2
 - service.linux.system.cis.cis-3-5-3
 - service.linux.system.cis.cis-3-5-4
+- service.linux.system.cis.cis-5-4-1-1
+- service.linux.system.cis.cis-5-4-1-2
+- service.linux.system.cis.cis-5-4-1-3
+- service.linux.system.cis.cis-5-4-1-4
 - service.linux.system.cis.cis-6-1-2
 - service.linux.system.cis.cis-6-1-3
 - service.linux.system.cis.cis-6-1-4