{"description": "To specify password minimum age for new accounts,\nedit the file <tt>/etc/login.defs</tt>\nand add or correct the following line:\n<pre>PASS_MIN_DAYS <sub idref=\"var_accounts_minimum_age_login_defs\" /></pre>\nA value of 1 day is considered sufficient for many\nenvironments.\nThe profile requirement is <tt><sub idref=\"var_accounts_minimum_age_login_defs\" /></tt>.", "rationale": "Enforcing a minimum password lifetime helps to prevent repeated password\nchanges to defeat the password reuse or history enforcement requirement. If\nusers are allowed to immediately and continually change their password,\nthen the password could be repeatedly changed in a short period of time to\ndefeat the organization's policy regarding password reuse.\n<br /><br />\nSetting the minimum password age protects against users cycling back to a\nfavorite password after satisfying the password reuse requirement.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16", "5"], "cjis": ["5.6.2.1.1"], "cobit5": ["DSS05.04", "DSS05.05", "DSS05.07", "DSS05.10", "DSS06.03", "DSS06.10"], "cui": ["3.5.8"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.2", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1"], "iso27001-2013": ["A.18.1.4", "A.7.1.1", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["IA-5(f)", "IA-5(1)(d)", "CM-6(a)"], "nist-csf": ["PR.AC-1", "PR.AC-6", "PR.AC-7"], "srg": ["SRG-OS-000075-GPOS-00043"], "cis": ["5.4.1.2"], "ism": ["0418", "1055", "1402"], "stigid": ["UBTU-22-411025"], "stigref": ["SV-260545r1015007_rule"]}, "control_references": {"cis": ["5.4.1.2"], "ism": ["0418", "1055", "1402"], "stigid": ["UBTU-22-411025"]}, "components": [], "identifiers": {}, "ocil_clause": "the \"PASS_MIN_DAYS\" parameter value is not \"<sub idref=\"var_accounts_minimum_age_login_defs\" />\" or greater, or is commented out", "ocil": "Verify Ubuntu 22.04 enforces 24 hours/one day as the minimum password lifetime for new user accounts.\n\nCheck for the value of \"PASS_MIN_DAYS\" in \"/etc/login.defs\" with the following command:\n\n<pre>$ grep -i pass_min_days /etc/login.defs\n\nPASS_MIN_DAYS <sub idref=\"var_accounts_minimum_age_login_defs\" /></pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to enforce 24 hours/one day as the minimum password lifetime.\n\nAdd the following line in \"/etc/login.defs\" (or modify the line to have the required value):\n\nPASS_MIN_DAYS <sub idref=\"var_accounts_minimum_age_login_defs\" />", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 passwords for new users or password changes must have a 24 hours/one day minimum password lifetime restriction in /etc/login.defs.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 passwords for new users or password changes must have a 24 hours minimum password lifetime restriction in /etc/login.defs.", "vuldiscussion": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.\n\nSetting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.", "checktext": "Verify Ubuntu 22.04 enforces 24 hours as the minimum password lifetime for new user accounts.\n\nCheck for the value of \"PASS_MIN_DAYS\" in \"/etc/login.defs\" with the following command:\n\n$ grep -i pass_min_days /etc/login.defs\n\nPASS_MIN_DAYS 1\n\nIf the \"PASS_MIN_DAYS\" parameter value is not \"1\" or greater, or is commented out, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to enforce 24 hours as the minimum password lifetime.\n\nAdd the following line in \"/etc/login.defs\" (or modify the line to have the required value):\n\nPASS_MIN_DAYS 1"}}, "platform": "package[shadow-utils]", "platforms": ["package[shadow-utils]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_shadow-utils"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Set Password Minimum Age", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml", "template": null}