5.4.1.3 Ensure password expiration warning days is configured

Information

The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days.

PASS_WARN_AGE

<N>

- The number of days warning given before a password expires. A zero means warning is given only upon the day of expiration, a negative value means no warning is given. If not specified, no warning will be provided.

Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered.

Solution

Edit /etc/login.defs and set PASS_WARN_AGE to a value of 7 or more that follows local site policy:

Example:

PASS_WARN_AGE 7

Run the following command to modify user parameters for all users with a password set to a minimum warning to 7 or more days that follows local site policy:

# chage --warndays <N> <user>

Example:

# awk -F: '($2~/^$.+$/) {if($6 < 7)system ("chage --warndays 7 " $1)}' /etc/shadow

See Also

https://workbench.cisecurity.org/benchmarks/18208

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|4.4

Plugin: Unix

Control ID: 8b5acb7e8dbffab16a70774cb7df9cfadb4c9b0435c3b76e052a1fd8cd78f0f6