3.1.2.5 maxexpired

Information

Defines the number of weeks after maxage, that a password can be reset by the user.

Rationale:

The maxexpired attribute limits the number of weeks after password expiry that a password may be changed by the user.

Solution

In /etc/security/user, set the default user stanza maxexpired attribute to 4:

chsec -f /etc/security/user -s default -a maxexpired=4

This means that a user can reset their password up to 4 weeks after it has expired. After this an administrative user would need to reset the password.

Default Value:

No limit

See Also

https://workbench.cisecurity.org/files/3525

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(3), CSCv7|16.9

Plugin: Unix

Control ID: 20a7ebe4245913065db3ded010fefb01de201b48c8c4efa67b16e1b82402207b