4.2.4 maxexpired

Information

Defines the number of weeks after maxage, that a password can be reset by the user.

Rationale:

The maxexpired attribute limits the number of weeks after password expiry that a password may be changed by the user.

Solution

In /etc/security/user, set the default user stanza maxexpired attribute to 4:

chsec -f /etc/security/user -s default -a maxexpired=4

This means that a user can reset their password up to 4 weeks after it has expired. After this an administrative user would need to reset the password.

Default Value:

No limit

See Also

https://workbench.cisecurity.org/files/4119

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(3), CSCv7|16.9

Plugin: Unix

Control ID: 42608b1301ff611fcac1099de3f487004107ff3bf872b1bbf995852144911cbc