{"description": "Configure non-compliant accounts to enforce a <sub idref=\"var_accounts_maximum_age_login_defs\" />-day maximum password lifetime\nrestriction by running the following command:\n<pre>$ sudo chage -M <sub idref=\"var_accounts_maximum_age_login_defs\" /> <i>USER</i></pre>", "rationale": "Any password, no matter how complex, can eventually be cracked. Therefore,\npasswords need to be changed periodically. If the operating system does\nnot limit the lifetime of passwords and force users to change their\npasswords, there is the risk that the operating system passwords could be\ncompromised.", "severity": "medium", "references": {"nist": ["IA-5(f)", "IA-5(1)(d)", "CM-6(a)"], "srg": ["SRG-OS-000076-GPOS-00044"], "cis": ["5.4.1.1"], "pcidss4": ["8.3.9", "8.3"]}, "control_references": {"cis": ["5.4.1.1"], "pcidss4": ["8.3.9", "8.3"]}, "components": [], "identifiers": {}, "ocil_clause": "any results are returned that are not associated with a system account", "ocil": "Check whether the maximum time period for existing passwords is restricted to <sub idref=\"var_accounts_maximum_age_login_defs\" /> days with the following commands:\n\n$ sudo awk -F: '$5 &gt; 60 {print $1 \" \" $5}' /etc/shadow\n\n$ sudo awk -F: '$5 &lt;= 0 {print $1 \" \" $5}' /etc/shadow", "oval_external_content": null, "fixtext": "Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction.\n\npasswd -q -x <sub idref=\"var_accounts_maximum_age_login_defs\" /> [user]", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 user account passwords must have a 60-day maximum password lifetime restriction.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 user account passwords must have a 60-day maximum password lifetime restriction.", "vuldiscussion": "Any password, no matter how complex, can eventually be cracked. Therefore,\npasswords need to be changed periodically. If the operating system does\nnot limit the lifetime of passwords and force users to change their\npasswords, there is the risk that the operating system passwords could be\ncompromised.", "checktext": "Check whether the maximum time period for existing passwords is restricted to 60 days with the following commands:\n\n$ sudo awk -F: '$5 > 60 {print $1 \"\" \"\" $5}' /etc/shadow\n\n$ sudo awk -F: '$5 <= 0 {print $1 \"\" \"\" $5}' /etc/shadow\n\nIf any results are returned that are not associated with a system account, this is a finding.", "fixtext": "Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction.\n\npasswd -x 60 [user]"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Set Existing Passwords Maximum Age", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml", "template": null}