Saltstack Official Linux Formula

53 lines
1.4KB

  1. # CIS 5.4.1.3 Ensure password expiration warning days is 7 or more (Scored)
  2. #
  3. # Description
  4. # ===========
  5. # The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to
  6. # notify users that their password will expire in a defined number of days.
  7. # It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days.
  8. #
  9. # Rationale
  10. # =========
  11. # Providing an advance warning that a password will be expiring gives users
  12. # time to think of a secure password. Users caught unaware may choose a simple
  13. # password or write it down where it may be discovered.
  14. #
  15. # Audit
  16. # =====
  17. # Run the following command and verify PASS_WARN_AGE is 7 or more:
  18. #
  19. # # grep PASS_WARN_AGE /etc/login.defs
  20. # PASS_WARN_AGE 7
  21. #
  22. # Verify all users with a password have their number of days of warning before
  23. # password expires set to 7 or more:
  24. #
  25. # # egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
  26. # <list of users>
  27. # # chage --list <user>
  28. # Number of days of warning before password expires: 7
  29. #
  30. # Remediation
  31. # ===========
  32. #
  33. # Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs :
  34. #
  35. # PASS_WARN_AGE 7
  36. #
  37. # Modify user parameters for all users with a password set to match:
  38. #
  39. # # chage --warndays 7 <user>
  40. #
  41. # Notes
  42. # =====
  43. # You can also check this setting in /etc/shadow directly. The 6th field
  44. # should be 7 or more for all users with a password.
  45. #
  46. parameters:
  47. linux:
  48. system:
  49. login_defs:
  50. PASS_WARN_AGE:
  51. value: 7