Skip to content

5.4.1.3 Ensure password expiration warning days is configured

Audit#

Run the following command and verify PASS_WARN_AGE is 7 or more and follows local site policy: 

# grep -Pi -- '^\h*PASS_WARN_AGE\h+\d+\b' /etc/login.defs

Example output: 

PASS_WARN_AGE 7

Run the following command to verify all passwords have a PASS_WARN_AGE of 7 or more: 

# awk -F: '($2~/^\$.+\$/) {if($6 < 7)print "User: " $1 " PASS_WARN_AGE: "$6}' /etc/shadow
Nothing should be returned

Remediation#

Edit /etc/login.defs and set PASS_WARN_AGE to a value of 7 or more that follows local site policy: Example: 

PASS_WARN_AGE 7

Run the following command to modify user parameters for all users with a password set to a minimum warning to 7 or more days that follows local site policy: 

# chage --warndays <N> <user>

Example: 

# awk -F: '($2~/^\$.+\$/) {if($6 < 7)system ("chage --warndays 7 " $1)}' /etc/shadow

Default Value: PASS_WARN_AGE 7