Skip to content

5.4.1.1 Ensure password expiration is configured

Audit#

Run the following command and verify PASS_MAX_DAYS is set to 365 days or less and conforms to local site policy: 

# grep -Pi -- '^\h*PASS_MAX_DAYS\h+\d+\b' /etc/login.defs

Example output: 

PASS_MAX_DAYS 365

Run the following command to verify all /etc/shadow passwords PASS_MAX_DAYS: - is greater than 0 days - is less than or equal to 365 days - conforms to local site policy 

# awk -F: '($2~/^\$.+\$/) {if($5 > 365 || $5 < 1)print "User: " $1 "PASS_MAX_DAYS: " $5}' /etc/shadow
Nothing should be returned

Remediation#

Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs : 

PASS_MA_DAYS 365

Modify user parameters for all users with a password set to match: 

# chage --maxdays 365 <user>

Edit /etc/login.defs and set PASS_MAX_DAYS to a value greater than 0 that follows local site policy: Example: 

PASS_MAX_DAYS 365

Run the following command to modify user parameters for all users with a password set to a maximum age no greater than 365 or less than 1 that follows local site policy: 

# awk -F: '($2~/^\$.+\$/) {if($5 > 365 || $5 < 1)system ("chage --maxdays 365 " $1)}' /etc/shadow

Warning: If a password has been set at system install or kickstart, the last change date field is not set, In this case, setting PASS_MAX_DAYS will immediately expire the password. One possible solution is to populate the last change date field through a command like: chage -d "$(date +%Y-%m-%d)" root

Default Value: PASS_MAX_DAYS 99999