Profile Applicability:
• Level 1
Description:
Verifying that all users have a recorded last password change date in the past ensures that no user accounts have unset or future password change dates, which could indicate misconfiguration or potential security issues.
Rationale:
Having valid and historical password change dates supports accurate enforcement of password policies such as expiration and prevents anomalies that may allow unauthorized access.
Impact:
Pros:
Ensures consistent password policy enforcement.
Prevents potential bypass of password aging controls.
Cons:
Requires audit and remediation for accounts with missing or invalid dates.
Default Value:
Some user accounts may lack a valid last password change date due to misconfiguration.
Pre-requisites:
Root or sudo privileges to inspect and modify user account settings
Remediation:
Test Plan:
Using Linux command line:
List all users with their last password change dates:
chage -l <username> | grep "Last password change"
(Run for all users, e.g., via script.)
Identify any accounts with missing, unset, or future last password change dates.
Implementation Plan:
Using Linux command line:
1. For accounts with invalid dates, set the last password change date to the current or a past date:
chage -d $(date +%Y-%m-%d) <username>
2. Verify the change:
chage -l <username> | grep "Last password change"
Backout Plan:
Using Linux command line:
Review and adjust last password change dates as necessary.
Ensure consistency with organizational policies.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
chage Manual