CIS 5.4.1.x
* CIS 5.4.1.1 Ensure password expiration is 90 days or less (Scored)
* CIS 5.4.1.2 Ensure minimum days between password changes is 7 or more (Scored)
* CIS 5.4.1.3 Ensure password expiration warning days is 7 or more (Scored)
* CIS 5.4.1.4 Ensure inactive password lock is 30 days or less (Scored)
Related-Prod: PROD-18386
Change-Id: I42697c31823c631acb1528ca917b39c069fb72bf
diff --git a/metadata/service/system/cis/cis-5-4-1-1.yml b/metadata/service/system/cis/cis-5-4-1-1.yml
new file mode 100644
index 0000000..8b82466
--- /dev/null
+++ b/metadata/service/system/cis/cis-5-4-1-1.yml
@@ -0,0 +1,52 @@
+# CIS 5.4.1.1 Ensure password expiration is 90 days or less (Scored)
+#
+# Description
+# ===========
+# The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to
+# force passwords to expire once they reach a defined age. It is recommended
+# that the PASS_MAX_DAYS parameter be set to less than or equal to 90 days.
+#
+# Rationale
+# =========
+# The window of opportunity for an attacker to leverage compromised credentials
+# or successfully compromise credentials via an online brute force attack is
+# limited by the age of the password. Therefore, reducing the maximum age of a
+# password also reduces an attacker's window of opportunity.
+#
+# Audit
+# =====
+# Run the following command and verify PASS_MAX_DAYS is 90 or less:
+#
+# # grep PASS_MAX_DAYS /etc/login.defs
+# PASS_MAX_DAYS 90
+#
+# Verify all users with a password have their maximum days between password
+# change set to 90 or less:
+#
+# # egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
+# <list of users>
+# # chage --list <user>
+# Maximum number of days between password change: 90
+#
+# Remediation
+# ===========
+# Set the PASS_MAX_DAYS parameter to 90 in /etc/login.defs :
+#
+# PASS_MAX_DAYS 90
+#
+# Modify user parameters for all users with a password set to match:
+#
+# # chage --maxdays 90 <user>
+#
+# Notes
+# =====
+# You can also check this setting in /etc/shadow directly. The 5th field
+# should be 90 or less for all users with a password.
+#
+parameters:
+ linux:
+ system:
+ login_defs:
+ PASS_MAX_DAYS:
+ value: 90
+
diff --git a/metadata/service/system/cis/cis-5-4-1-2.yml b/metadata/service/system/cis/cis-5-4-1-2.yml
new file mode 100644
index 0000000..50543ca
--- /dev/null
+++ b/metadata/service/system/cis/cis-5-4-1-2.yml
@@ -0,0 +1,52 @@
+# CIS 5.4.1.2 Ensure minimum days between password changes is 7 or more (Scored)
+#
+# Description
+# ===========
+# The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to
+# prevent users from changing their password until a minimum number of days
+# have passed since the last time the user changed their password. It is
+# recommended that PASS_MIN_DAYS parameter be set to 7 or more days.
+#
+# Rationale
+# =========
+# By restricting the frequency of password changes, an administrator can
+# prevent users from repeatedly changing their password in an attempt to
+# circumvent password reuse controls.
+#
+# Audit
+# =====
+# Run the following command and verify PASS_MIN_DAYS is 7 or more:
+#
+# # grep PASS_MIN_DAYS /etc/login.defs
+# PASS_MIN_DAYS 7
+#
+# Verify all users with a password have their minimum days between password
+# change set to 7 or more:
+#
+# # egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
+# <list of users>
+# # chage --list <user>
+# Minimum number of days between password change: 7
+#
+# Remediation
+# ===========
+# Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs :
+#
+# PASS_MIN_DAYS 7
+#
+# Modify user parameters for all users with a password set to match:
+#
+# # chage --mindays 7 <user>
+#
+# Notes
+# =====
+# You can also check this setting in /etc/shadow directly. The 5th field
+# should be 7 or more for all users with a password.
+#
+parameters:
+ linux:
+ system:
+ login_defs:
+ PASS_MIN_DAYS:
+ value: 7
+
diff --git a/metadata/service/system/cis/cis-5-4-1-3.yml b/metadata/service/system/cis/cis-5-4-1-3.yml
new file mode 100644
index 0000000..3567f2a
--- /dev/null
+++ b/metadata/service/system/cis/cis-5-4-1-3.yml
@@ -0,0 +1,52 @@
+# CIS 5.4.1.3 Ensure password expiration warning days is 7 or more (Scored)
+#
+# Description
+# ===========
+# The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to
+# notify users that their password will expire in a defined number of days.
+# It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days.
+#
+# Rationale
+# =========
+# Providing an advance warning that a password will be expiring gives users
+# time to think of a secure password. Users caught unaware may choose a simple
+# password or write it down where it may be discovered.
+#
+# Audit
+# =====
+# Run the following command and verify PASS_WARN_AGE is 7 or more:
+#
+# # grep PASS_WARN_AGE /etc/login.defs
+# PASS_WARN_AGE 7
+#
+# Verify all users with a password have their number of days of warning before
+# password expires set to 7 or more:
+#
+# # egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
+# <list of users>
+# # chage --list <user>
+# Number of days of warning before password expires: 7
+#
+# Remediation
+# ===========
+#
+# Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs :
+#
+# PASS_WARN_AGE 7
+#
+# Modify user parameters for all users with a password set to match:
+#
+# # chage --warndays 7 <user>
+#
+# Notes
+# =====
+# You can also check this setting in /etc/shadow directly. The 6th field
+# should be 7 or more for all users with a password.
+#
+parameters:
+ linux:
+ system:
+ login_defs:
+ PASS_WARN_AGE:
+ value: 7
+
diff --git a/metadata/service/system/cis/cis-5-4-1-4.yml b/metadata/service/system/cis/cis-5-4-1-4.yml
new file mode 100644
index 0000000..97a86af
--- /dev/null
+++ b/metadata/service/system/cis/cis-5-4-1-4.yml
@@ -0,0 +1,51 @@
+# CIS 5.4.1.4 Ensure inactive password lock is 30 days or less (Scored)
+#
+# Description
+# ===========
+# User accounts that have been inactive for over a given period of time can be
+# automatically disabled. It is recommended that accounts that are inactive
+# for 30 days after password expiration be disabled.
+#
+# Rationale
+# =========
+# Inactive accounts pose a threat to system security since the users are not
+# logging in to notice failed login attempts or other anomalies.
+#
+# Audit
+# =====
+# Run the following command and verify INACTIVE is 30 or less:
+#
+# # useradd -D | grep INACTIVE
+# INACTIVE=30
+#
+# Verify all users with a password have Password inactive no more than 30 days
+# after password expires:
+#
+# # egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
+# <list of users>
+# # chage --list <user>
+# Password inactive: <date>
+#
+# Remediation
+# ===========
+# Run the following command to set the default password inactivity period to
+# 30 days:
+#
+# # useradd -D -f 30
+#
+# Modify user parameters for all users with a password set to match:
+#
+# # chage --inactive 30 <user>
+#
+# Notes
+# =====
+# You can also check this setting in /etc/shadow directly. The 7th field
+# should be 30 or less for all users with a password.
+#
+parameters:
+ linux:
+ system:
+ login_defs:
+ INACTIVE:
+ value: 30
+
diff --git a/metadata/service/system/cis/init.yml b/metadata/service/system/cis/init.yml
index 5f27e22..3295fca 100644
--- a/metadata/service/system/cis/init.yml
+++ b/metadata/service/system/cis/init.yml
@@ -31,6 +31,10 @@
- service.linux.system.cis.cis-3-5-2
- service.linux.system.cis.cis-3-5-3
- service.linux.system.cis.cis-3-5-4
+- service.linux.system.cis.cis-5-4-1-1
+- service.linux.system.cis.cis-5-4-1-2
+- service.linux.system.cis.cis-5-4-1-3
+- service.linux.system.cis.cis-5-4-1-4
- service.linux.system.cis.cis-6-1-2
- service.linux.system.cis.cis-6-1-3
- service.linux.system.cis.cis-6-1-4