Increase default PASS_MAX_DAYS
Updated version of CIS Ubuntu Benchmark (v.1.1.0) now recommends
that password expiration threshold to be 365 days or less.
Change-Id: I42368a40e819f3895dccbd21465e8479ff2aa8e6
Related-Prod: PROD-29769
diff --git a/metadata/service/system/cis/cis-5-4-1-1.yml b/metadata/service/system/cis/cis-5-4-1-1.yml
index 8b82466..99c83f2 100644
--- a/metadata/service/system/cis/cis-5-4-1-1.yml
+++ b/metadata/service/system/cis/cis-5-4-1-1.yml
@@ -1,36 +1,37 @@
-# CIS 5.4.1.1 Ensure password expiration is 90 days or less (Scored)
+# CIS 5.4.1.1 Ensure password expiration is 365 days or less (Scored)
#
# Description
# ===========
-# The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to
+# The PASS_MAX_DAYS parameter in `/etc/login.defs` allows an administrator to
# force passwords to expire once they reach a defined age. It is recommended
-# that the PASS_MAX_DAYS parameter be set to less than or equal to 90 days.
+# that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days.
#
# Rationale
# =========
-# The window of opportunity for an attacker to leverage compromised credentials
-# or successfully compromise credentials via an online brute force attack is
-# limited by the age of the password. Therefore, reducing the maximum age of a
-# password also reduces an attacker's window of opportunity.
+# The window of opportunity for an attacker to leverage compromised
+# credentials or successfully compromise credentials via an online brute force
+# attack is limited by the age of the password. Therefore, reducing the
+# maximum age of a password also reduces an attacker's window of opportunity.
#
# Audit
# =====
-# Run the following command and verify PASS_MAX_DAYS is 90 or less:
+# Run the following command and verify PASS_MAX_DAYS conforms to site policy
+# (no more than 365 days):
#
# # grep PASS_MAX_DAYS /etc/login.defs
# PASS_MAX_DAYS 90
#
-# Verify all users with a password have their maximum days between password
-# change set to 90 or less:
+# Verify all users with a password maximum days between password change
+# conforms to site policy (no more than 365 days):
#
# # egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
# <list of users>
# # chage --list <user>
-# Maximum number of days between password change: 90
+# Maximum number of days between password change : 90
#
# Remediation
# ===========
-# Set the PASS_MAX_DAYS parameter to 90 in /etc/login.defs :
+# Set the PASS_MAX_DAYS parameter to conform to site policy in `/etc/login.defs`:
#
# PASS_MAX_DAYS 90
#
@@ -40,13 +41,17 @@
#
# Notes
# =====
-# You can also check this setting in /etc/shadow directly. The 5th field
-# should be 90 or less for all users with a password.
+# You can also check this setting in `/etc/shadow` directly. The 5th field
+# should be 365 or less for all users with a password.
+#
+# *Note*: A value of -1 will disable password expiration. Additionally the
+# password expiration must be greater than the minimum days between password
+# changes or users will be unable to change their password.
#
parameters:
linux:
system:
login_defs:
PASS_MAX_DAYS:
- value: 90
+ value: 365