Profile Applicability:
• Level 1
Description:
Setting a maximum password age of 365 days or less enforces regular password changes, reducing the risk of compromised credentials being used over extended periods.
Rationale:
Regular password expiration mitigates the risk of long-term password compromise and encourages better password hygiene among users.
Impact:
Pros:
Limits the time a compromised password is valid.
Encourages users to update passwords regularly.
Cons:
May increase helpdesk support due to password resets.
Frequent changes can lead to weaker passwords if users choose predictable patterns.
Default Value:
Password expiration policies vary by system and may not enforce a maximum age by default.
Pre-requisites:
Root or sudo privileges to configure password aging policies.
Remediation:
Test Plan:
Using Linux command line:
1. Check current password expiration for users using chage:
chage -l <username>
2. Review /etc/login.defs for default maximum password age:
grep PASS_MAX_DAYS /etc/login.defs
Implementation Plan:
Using Linux command line:
1. Set maximum password age to 365 days or less globally in /etc/login.defs:
vi /etc/login.defs
2. Update or add the line:
PASS_MAX_DAYS 365
3. For specific users, update with chage:
chage -M 365 <username>
4. Verify settings
chage -l <username>
Backout Plan:
Using Linux command line:
Increase password expiration period if necessary by modifying /etc/login.defs and/or using chage.
Verify changes take effect.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
chage Manual