5.4.1.1 Ensure password expiration is 90 days or less (Scored) [SecScan]

This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong.

======5.4.1.1 Ensure password expiration is 90 days or less (Scored)======
=====Profile Applicability=====  
<code>
Level 1 - Server
Level 1 - Workstation 
</code>

=====Description=====
The ''PASS_MAX_DAYS'' parameter in ''/etc/login.defs'' allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the ''PASS_MAX_DAYS'' parameter be set to less than or equal to 90 days.

=====Rationale=====
The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity.

=====Audit===== 
Run the following command and verify ''PASS_MAX_DAYS'' is 90 or less:
<Code:bash>
# grep PASS_MAX_DAYS /etc/login.defs 
PASS_MAX_DAYS 90
</Code>
Verify all users with a password have their maximum days between password change set to 90 or less:
<Code:bash>
# egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1 
<list of users> 
# chage --list <user> 
Maximum number of days between password change : 90
</Code>
=====Remediation===== 
Set the ''PASS_MAX_DAYS'' parameter to 90 in ''/etc/login.defs'':
<Code:bash>
PASS_MAX_DAYS 90
</Code>
Modify user parameters for all users with a password set to match:
<Code:bash>
# chage --maxdays 90 <user>
</Code>
=====Notes===== 
You can also check this setting in ''/etc/shadow'' directly. The 5th field should be 90 or less for all users with a password.