7.1 Set Password Expiration Parameters on Active Accounts - WARNWEEKS = 4

Information

The characteristics of an operating system that make 'user identification' via password a secure and workable solution is the combination of settings chosen. By requiring that a series of password-choices be security-centric, it reduces the risk of a malicious user breaking the password through dictionary/brute force attacks or fortuitous guessing based upon 'social engineering.' A basic password security strategy is requiring a new password to be chosen every 45-90 days, so that repeated attempts to gain entry by brute-force tactics will fail when a new password is chosen, which requires starting over again to break the new password.

The commands for this item set all active accounts (except the root account) to force password changes every 91 days (13 weeks), and then prevent password changes for seven days (one week), thereafter. Users will begin receiving warnings 28 days (4 weeks) before their password expires. Sites also have the option of expiring idle accounts after a certain number of days (see the on-line manual page for the usermod command, particularly the -f option).

Solution

Perform the following to implement the recommended state:
# logins -ox | awk -F: '($1 == "root" || $8 == "LK" || $8 == "NL")
{ next } ;
{ $cmd = "passwd" } ;
($11 91) { $cmd = $cmd " -x 91" }
($10 < 7) { $cmd = $cmd " -n 7" }
($12 < 28) { $cmd = $cmd " -w 28" }
($cmd != "passwd") { print $cmd " " $1 }' > /etc/CISupd_accounts
# /sbin/sh /etc/CISupd_accounts
# rm -f /etc/CISupd_accounts
# cd /etc/default
# grep -v WEEKS passwd > passwd.CIS
# cat <<EODefaults >> passwd.CIS
MAXWEEKS=13
MINWEEKS=1
WARNWEEKS=4
EODefaults
# mv passwd.CIS passwd

See Also

https://workbench.cisecurity.org/files/612

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(d)

Plugin: Unix

Control ID: 0a38cc1286ae0a8ace5922cd9da8b9e5e3ac6d1381199df9490288124e1d5de0