5.4.1.2 Ensure minimum days between password changes is 7 or more (Scored) [SecScan]

This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong.

======5.4.1.2 Ensure minimum days between password changes is 7 or more (Scored)======
=====Profile Applicability=====  
<code>
Level 1 - Server
Level 1 - Workstation 
</code>

=====Description=====
The ''PASS_MIN_DAYS'' parameter in ''/etc/login.defs'' allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that ''PASS_MIN_DAYS'' parameter be set to 7 or more days.

=====Rationale=====
By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls.

=====Audit===== 
Run the following command and verify ''PASS_MIN_DAYS'' is 7 or more:
<Code:bash>
# grep PASS_MIN_DAYS /etc/login.defs 
PASS_MIN_DAYS 7
</Code>
Verify all users with a password have their minimum days between password change set to 7 or more:
<Code:bash>
# egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
<list of users> 
# chage --list <user> 
Minimum number of days between password change : 7
</Code>
=====Remediation===== 
Set the ''PASS_MIN_DAYS'' parameter to 7 in ''/etc/login.defs'':
<Code:bash>
PASS_MIN_DAYS 7
</Code>
Modify user parameters for all users with a password set to match:
<Code:bash>
# chage --mindays 7 <user>
</Code>
=====Notes===== 
You can also check this setting in ''/etc/shadow'' directly. The 5th field should be 7 or more for all users with a password.