Skip to content

Set Existing Passwords Maximum Age

An XCCDF Rule

Description

Configure non-compliant accounts to enforce a -day maximum password lifetime restriction by running the following command:

$ sudo chage -M  USER

Rationale

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.

ID
xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing
Severity
Medium
References
Updated



Remediation - Shell Script


var_accounts_maximum_age_login_defs='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" use="legacy"/>'


while IFS= read -r i; do
    

Remediation - Ansible

- name: XCCDF Value var_accounts_maximum_age_login_defs # promote to variable
  set_fact:
    var_accounts_maximum_age_login_defs: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" use="legacy"/>
  tags:
    - always