Skip to content

5.5.1.2 Ensure password expiration is 365 days or less

Audit#

Run the following command and verify PASS_MAX_DAYS conforms to site policy, does not exceed 365 days, and is greater than PASS_MIN_DAYS: 

# grep PASS_MAX_DAYS /etc/login.defs
PASS_MAX_DAYS 365

Run the following command and Review list of users and PASS_MAX_DAYS to verify that all users' PASS_MAX_DAYS conforms to site policy, does not exceed 365 days, and is no less than PASS_MIN_DAYS 

# awk -F: '(/^[^:]+:[^!*]/ && ($5>365 || $5~/([0-1]|-1|\s*)/)){print $1 " " $5}' /etc/shadow
No <user>:<PASS_MAX_DAYS> should be returned

Remediation#

Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs : 

PASS_MA_DAYS 365

Modify user parameters for all users with a password set to match: 

# chage --maxdays 365 <user>

Default Value:

PASS_MAX_DAYS 99999