metadata/service/system/cis/cis-5-4-1-1.yml - salt-formulas/linux - Gitiles

 # CIS 5.4.1.1 Ensure password expiration is 90 days or less (Scored)
 #
 # Description
 # ===========
 # The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to
 # force passwords to expire once they reach a defined age. It is recommended
 # that the PASS_MAX_DAYS parameter be set to less than or equal to 90 days.
 #
 # Rationale
 # =========
 # The window of opportunity for an attacker to leverage compromised credentials
 # or successfully compromise credentials via an online brute force attack is
 # limited by the age of the password. Therefore, reducing the maximum age of a
 # password also reduces an attacker's window of opportunity.
 #
 # Audit
 # =====
 # Run the following command and verify PASS_MAX_DAYS is 90 or less:
 #
 #   # grep PASS_MAX_DAYS /etc/login.defs
 #   PASS_MAX_DAYS 90
 #
 # Verify all users with a password have their maximum days between password
 # change set to 90 or less:
 #
 #   # egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
 #   <list of users>
 #   # chage --list <user>
 #   Maximum number of days between password change: 90
 #
 # Remediation
 # ===========
 # Set the PASS_MAX_DAYS parameter to 90 in /etc/login.defs :
 #
 #   PASS_MAX_DAYS 90
 #
 # Modify user parameters for all users with a password set to match:
 #
 #   # chage --maxdays 90 <user>
 #
 # Notes
 # =====
 # You can also check this setting in /etc/shadow directly. The 5th field
 # should be 90 or less for all users with a password.
 #
 parameters:
   linux:
     system:
       login_defs:
         PASS_MAX_DAYS:
           value: 90
	# CIS 5.4.1.1 Ensure password expiration is 90 days or less (Scored)
	#
	# Description
	# ===========
	# The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to
	# force passwords to expire once they reach a defined age. It is recommended
	# that the PASS_MAX_DAYS parameter be set to less than or equal to 90 days.
	#
	# Rationale
	# =========
	# The window of opportunity for an attacker to leverage compromised credentials
	# or successfully compromise credentials via an online brute force attack is
	# limited by the age of the password. Therefore, reducing the maximum age of a
	# password also reduces an attacker's window of opportunity.
	#
	# Audit
	# =====
	# Run the following command and verify PASS_MAX_DAYS is 90 or less:
	#
	# # grep PASS_MAX_DAYS /etc/login.defs
	# PASS_MAX_DAYS 90
	#
	# Verify all users with a password have their maximum days between password
	# change set to 90 or less:
	#
	# # egrep ^[^:]+:[^\!*] /etc/shadow \| cut -d: -f1
	# <list of users>
	# # chage --list <user>
	# Maximum number of days between password change: 90
	#
	# Remediation
	# ===========
	# Set the PASS_MAX_DAYS parameter to 90 in /etc/login.defs :
	#
	# PASS_MAX_DAYS 90
	#
	# Modify user parameters for all users with a password set to match:
	#
	# # chage --maxdays 90 <user>
	#
	# Notes
	# =====
	# You can also check this setting in /etc/shadow directly. The 5th field
	# should be 90 or less for all users with a password.
	#
	parameters:
	linux:
	system:
	login_defs:
	PASS_MAX_DAYS:
	value: 90