Skip to content

Set Password Warning Age

An XCCDF Rule

Description

To specify how many days prior to password expiration that a warning will be issued to users, edit the file /etc/login.defs and add or correct the following line:

PASS_WARN_AGE 
The DoD requirement is 7. The profile requirement is .

Rationale

Setting the password warning age enables users to make the change at a practical time.

ID
xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs
Severity
Medium
References
Updated



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83609-8
  - NIST-800-171-3.5.8

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q shadow-utils; then

var_accounts_password_warn_age_login_defs='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" use="legacy"/>'

# Strip any search characters in the key arg so that the key can be replaced without