Skip to content

5.4.1.2 Ensure minimum password days is configured

Audit#

Run the following command to verify that PASS_MIN_DAYS is set to a value greater than 0and follows local site policy: 

# grep -Pi -- '^\h*PASS_MIN_DAYS\h+\d+\b' /etc/login.defs
Example output: 
PASS_MIN_DAYS 1

Run the following command to verify all passwords have a PASS_MIN_DAYS greater than 0: 

# awk -F: '($2~/^\$.+\$/) {if($4 < 1)print "User: " $1 " PASS_MIN_DAYS: "$4}' /etc/shadow
Nothing should be returned

Remediation#

Edit /etc/login.defs and set PASS_MIN_DAYS to a value greater than 0 that follows local site policy: Example: 

PASS_MIN_DAYS 1

Run the following command to modify user parameters for all users with a password set to a minimum days greater than zero that follows local site policy: 

# chage --mindays <N> <user>

Example 

# awk -F: '($2~/^\$.+\$/) {if($4 < 1)system ("chage --mindays 1 " $1)}' /etc/shadow

Default Value: PASS_MIN_DAYS 0