Profile Applicability:
• Level 1
Description:
Configuring a password expiration warning period of 7 or more days alerts users in advance before their password expires. This helps users prepare for timely password changes, reducing account lockouts and support requests.
Rationale:
Providing adequate warning before password expiration improves user experience and supports continuous access while maintaining security through regular password updates.
Impact:
Pros:
Reduces user inconvenience and helpdesk workload.
Encourages timely password updates.
Cons:
None significant; longer warnings generally improve usability.
Default Value:
Password expiration warnings may be set to a lower default value or not configured.
Pre-requisites:
Root or sudo privileges to modify password aging policies.
Remediation:
Test Plan:
Using Linux command line:
1. Check the current warning period for password expiration:
chage -l <username> | grep "Password expires" chage -l <username> | grep "Password inactive" chage -l <username> | grep "Warning"
2. Review /etc/login.defs for default warning days:
grep PASS_WARN_AGE /etc/login.defs
Implementation Plan:
Using Linux command line:
1. Set the warning period to 7 or more days globally in /etc/login.defs:
vi /etc/login.defs
2. Update or add the line:
PASS_WARN_AGE 7
3. For specific users, update with chage:
chage -W 7 <username>
4. Verify the settings:
chage -l <username>
Backout Plan:
Using Linux command line:
Decrease the warning period if necessary by modifying /etc/login.defs and/or using chage.
Verify changes take effect.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
chage Manual