# CIS 5.4.1.1 Ensure password expiration is 90 days or less (Scored)
#
# Description
# ===========
# The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to
# force passwords to expire once they reach a defined age. It is recommended
# that the PASS_MAX_DAYS parameter be set to less than or equal to 90 days.
#
# Rationale
# =========
# The window of opportunity for an attacker to leverage compromised credentials
# or successfully compromise credentials via an online brute force attack is
# limited by the age of the password. Therefore, reducing the maximum age of a
# password also reduces an attacker's window of opportunity.
#
# Audit
# =====
# Run the following command and verify PASS_MAX_DAYS is 90 or less:
#
#   # grep PASS_MAX_DAYS /etc/login.defs
#   PASS_MAX_DAYS 90
#
# Verify all users with a password have their maximum days between password
# change set to 90 or less:
#
#   # egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
#   <list of users>
#   # chage --list <user>
#   Maximum number of days between password change: 90
#
# Remediation
# ===========
# Set the PASS_MAX_DAYS parameter to 90 in /etc/login.defs :
#
#   PASS_MAX_DAYS 90
#
# Modify user parameters for all users with a password set to match:
#
#   # chage --maxdays 90 <user>
#
# Notes
# =====
# You can also check this setting in /etc/shadow directly. The 5th field
# should be 90 or less for all users with a password.
#
parameters:
  linux:
    system:
      login_defs:
        PASS_MAX_DAYS:
          value: 90