Skip to content

Set Existing Passwords Warning Age

An XCCDF Rule

Description

To configure how many days prior to password expiration that a warning will be issued to users, run the command:

$ sudo chage --warndays  USER
The DoD requirement is 7, and CIS recommendation is no less than 7 days. This profile requirement is .

Rationale

Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered.

ID
xccdf_org.ssgproject.content_rule_accounts_password_set_warn_age_existing
Severity
Medium
References
Updated



Remediation - Ansible

- name: XCCDF Value var_accounts_password_warn_age_login_defs # promote to variable
  set_fact:
    var_accounts_password_warn_age_login_defs: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" use="legacy"/>
  tags:
    - always


Remediation - Shell Script


var_accounts_password_warn_age_login_defs='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" use="legacy"/>'


while IFS= read -r i; do
    chage --warndays $var_accounts_password_warn_age_login_defs $i