7.1 Set Password Expiration Parameters on Active Accounts - MAXWEEKS = 13

Information

The characteristics of an operating system that make 'user identification' via password a
secure and workable solution is the combination of settings chosen. By requiring that a
series of password-choices be security-centric, it reduces the risk of a malicious user
breaking the password through dictionary/brute force attacks or fortuitous guessing based
upon 'social engineering.' A basic password security strategy is requiring a new password
to be chosen every 45-90 days, so that repeated attempts to gain entry by brute-force
tactics will fail when a new password is chosen, which requires starting over again to break
the new password.

The commands for this item set all active accounts (except the root account) to force
password changes every 91 days (13 weeks), and then prevent password changes for seven
days (one week), thereafter. Users will begin receiving warnings 7 days (1 weeks) before
their password expires. Sites also have the option of expiring idle accounts after a certain
number of days (see the on-line manual page for the usermod command, particularly the -
f option).

Solution

Perform the following to implement the recommended state-# logins -ox |
awk -F- '($1 == 'root' || $8 == 'LK' || $8 == 'NL')
{ next } ;
{ $cmd = 'passwd' } ;
($11 > 91) { $cmd = $cmd ' -x 91' }
($10 < 7) { $cmd = $cmd ' -n 7' }
($12 < 7) { $cmd = $cmd ' -w 7' }
($cmd != 'passwd') { print $cmd ' ' $1 }'
> /etc/CISupd_accounts
# /sbin/sh /etc/CISupd_accounts
# rm -f /etc/CISupd_accounts
# cd /etc/default
# grep -v WEEKS passwd > passwd.CIS
# cat <<EODefaults >> passwd.CIS
MAXWEEKS=13
MINWEEKS=1
WARNWEEKS=1
EODefaults
# mv passwd.CIS passwd

See Also

https://workbench.cisecurity.org/files/616

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(d)

Plugin: Unix

Control ID: 269759dab291334110796254a48567f5c3157e7a86d5dd18e8f95c4cb5fa31eb