7.2 Set Password Expiration Parameters on Active Accounts - Check WARNWEEKS is set to 4

Information

Many organizations require users to change passwords on a regular basis.

Note - Since /etc/default/passwd sets defaults in terms of number of weeks (even though the actual values on user accounts are kept in terms of days), it is probably best to choose interval values that are multiples of 7.

Actions for this item do not work on accounts stored on network directories such as LDAP.

Solution

Please refer to the remediation steps on page 102 of the CIS document.

See Also

https://workbench.cisecurity.org/files/614

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(d)

Plugin: Unix

Control ID: 1bbf51facc21baa399494eab827a54d90d7e237619ae051f6e70c7d745491a15