Saltstack Official Linux Formula
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
|
- # CIS 5.4.1.3 Ensure password expiration warning days is 7 or more (Scored)
- #
- # Description
- # ===========
- # The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to
- # notify users that their password will expire in a defined number of days.
- # It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days.
- #
- # Rationale
- # =========
- # Providing an advance warning that a password will be expiring gives users
- # time to think of a secure password. Users caught unaware may choose a simple
- # password or write it down where it may be discovered.
- #
- # Audit
- # =====
- # Run the following command and verify PASS_WARN_AGE is 7 or more:
- #
- # # grep PASS_WARN_AGE /etc/login.defs
- # PASS_WARN_AGE 7
- #
- # Verify all users with a password have their number of days of warning before
- # password expires set to 7 or more:
- #
- # # egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
- # <list of users>
- # # chage --list <user>
- # Number of days of warning before password expires: 7
- #
- # Remediation
- # ===========
- #
- # Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs :
- #
- # PASS_WARN_AGE 7
- #
- # Modify user parameters for all users with a password set to match:
- #
- # # chage --warndays 7 <user>
- #
- # Notes
- # =====
- # You can also check this setting in /etc/shadow directly. The 6th field
- # should be 7 or more for all users with a password.
- #
- parameters:
- linux:
- system:
- login_defs:
- PASS_WARN_AGE:
- value: 7
|
