Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / linux / bf79ba4369955f42511ad655fa891623a38d0a65^! / . / metadata / service / system / cis / cis-5-4-1-3.yml
commitbf79ba4369955f42511ad655fa891623a38d0a65[log] [tgz]
authorDmitry Teselkin <dteselkin@mirantis.com>Thu Sep 27 13:56:38 2018 +0300
committerDmitry Teselkin <dteselkin@mirantis.com>Thu Sep 27 18:00:46 2018 +0000
tree4f2ea150e08d38b73dcbc9ea1591fa24575e611d
parent47e41f45c8a3d489cc290d0dd3bdaeccba266e10 [diff] [blame]
CIS 5.4.1.x

* CIS 5.4.1.1 Ensure password expiration is 90 days or less (Scored)
* CIS 5.4.1.2 Ensure minimum days between password changes is 7 or more (Scored)
* CIS 5.4.1.3 Ensure password expiration warning days is 7 or more (Scored)
* CIS 5.4.1.4 Ensure inactive password lock is 30 days or less (Scored)

Related-Prod: PROD-18386

Change-Id: I42697c31823c631acb1528ca917b39c069fb72bf

diff --git a/metadata/service/system/cis/cis-5-4-1-3.yml b/metadata/service/system/cis/cis-5-4-1-3.yml
new file mode 100644
index 0000000..3567f2a
--- /dev/null
+++ b/metadata/service/system/cis/cis-5-4-1-3.yml

@@ -0,0 +1,52 @@
+# CIS 5.4.1.3 Ensure password expiration warning days is 7 or more (Scored)
+#
+# Description
+# ===========
+# The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to
+# notify users that their password will expire in a defined number of days.
+# It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days.
+#
+# Rationale
+# =========
+# Providing an advance warning that a password will be expiring gives users
+# time to think of a secure password. Users caught unaware may choose a simple
+# password or write it down where it may be discovered.
+#
+# Audit
+# =====
+# Run the following command and verify PASS_WARN_AGE is 7 or more:
+#
+#   # grep PASS_WARN_AGE /etc/login.defs
+#   PASS_WARN_AGE 7
+#
+# Verify all users with a password have their number of days of warning before
+# password expires set to 7 or more:
+#
+#   # egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
+#   <list of users>
+#   # chage --list <user>
+#   Number of days of warning before password expires: 7
+#
+# Remediation
+# ===========
+#
+# Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs :
+#
+#   PASS_WARN_AGE 7
+#
+# Modify user parameters for all users with a password set to match:
+#
+#   # chage --warndays 7 <user>
+#
+# Notes
+# =====
+# You can also check this setting in /etc/shadow directly. The 6th field
+# should be 7 or more for all users with a password.
+#
+parameters:
+  linux:
+    system:
+      login_defs:
+        PASS_WARN_AGE:
+          value: 7
+