Skip to content

5.5.1.3 Ensure password expiration warning days is 7 or more

Audit#

Run the following command and verify PASS_WARN_AGE conforms to site policy (No less than 7 days): 

# grep PASS_WARN_AGE /etc/login.defs
PASS_WARN_AGE 7

Verify all users with a password have their number of days of warning before password expires set to 7 or more:

Run the following command and Review list of users and PASS_WARN_AGE to verify that all users' PASS_WARN_AGE conforms to site policy (No less than 7 days): 

# awk -F: '(/^[^:]+:[^!*]/ && $6<7){print $1 " " $6}' /etc/shadow
No <user>:<PASS_WARN_AGE> should be returned

Remediation#

Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs : 

PASS_WARN_AGE 7

Modify user parameters for all users with a password set to match: 

# chage --warndays 7 <user>

Default Value:

PASS_WARN_AGE 7