Skip to content

5.5.1.5 Ensure all users last password change date is in the past

Audit#

Run the following command and verify nothing is returned 

# awk -F: '/^[^:]+:[^!*]/{print $1}' /etc/shadow | while read -r usr; \
do change=$(date -d "$(chage --list $usr | grep '^Last password change' | cut -d: -f2 | grep -v 'never$')" +%s); \
if [[ "$change" -gt "$(date +%s)" ]]; then \
echo "User: \"$usr\" last password change was \"$(chage --list $usr | grep '^Last password change' | cut -d: -f2)\""; fi; done

Remediation#

Investigate any users with a password change date in the future and correct them.

Locking the account, expiring the password, or resetting the password manually may be appropriate.