Set Password Warning Age
An XCCDF Rule
Description
To specify how many days prior to password
expiration that a warning will be issued to users,
edit the file /etc/login.defs
and add or correct
the following line:
PASS_WARN_AGEThe DoD requirement is 7. The profile requirement is
.
Rationale
Setting the password warning age enables users to make the change at a practical time.
- ID
- xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83609-8
- NIST-800-171-3.5.8
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q shadow-utils; then
var_accounts_password_warn_age_login_defs='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" use="legacy"/>'
# Strip any search characters in the key arg so that the key can be replaced without