7.1 Set Password Expiration Parameters on Active Accounts - Accounts

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The characteristics of an operating system that make 'user identification' via password a
secure and workable solution is the combination of settings chosen. By requiring that a
series of password-choices be security-centric, it reduces the risk of a malicious user
breaking the password through dictionary/brute force attacks or fortuitous guessing based
upon 'social engineering.' A basic password security strategy is requiring a new password
to be chosen every 45-90 days, so that repeated attempts to gain entry by brute-force
tactics will fail when a new password is chosen, which requires starting over again to break
the new password.

Rationale:

The commands for this item set all active accounts (except the root account) to force
password changes every 91 days (13 weeks), and then prevent password changes for seven
days (one week), thereafter. Users will begin receiving warnings 7 days (1 week) before
their password expires. Sites also have the option of expiring idle accounts after a certain
number of days (see the on-line manual page for the usermod command, particularly the -f
option).

Solution

Perform the following to implement the recommended state:

# logins -ox | awk -F: '($1 == "root" || $8 == "LK" || $8 == "NL") { next } ;
{ cmd = "passwd" } ; ($11 < 91) { cmd = cmd " -x 91" } ($10 < 7) { cmd = cmd
" -n 7" } ($12 < 28) { cmd = cmd " -w 28" } (cmd != "passwd") { print cmd " "
$1 }' > /etc/CISupd_accounts

# /sbin/sh /etc/CISupd_accounts

# rm -f /etc/CISupd_accounts

# cd /etc/default

# cp passwd passwd.orig

# grep -v WEEKS passwd > passwd.CIS

# cat <<EODefaults >> passwd.CIS
MAXWEEKS=13
MINWEEKS=1
WARNWEEKS=1
EODefaults

# mv passwd.CIS passwd

Notes:

Since /etc/default/passwd sets defaults in terms of number of weeks (even though the
actual values on user accounts are kept in terms of days), it is probably best to choose
interval values that are multiples of 7.

See Also

https://workbench.cisecurity.org/files/2582