{"description": "All users should have a password change date in the past.", "rationale": "If a user recorded password change date is in the future then they could\nbypass any set password expiration.", "severity": "medium", "references": {"cis": ["5.4.1.6"], "pcidss4": ["8.3.5", "8.3"]}, "control_references": {"cis": ["5.4.1.6"], "pcidss4": ["8.3.5", "8.3"]}, "components": [], "identifiers": {}, "ocil_clause": "any interactive user password that has last change time in the future", "ocil": "Verify that the interactive user account passwords last change time is not in the future\nThe following command should return no output\n$ sudo expiration=$(cat /etc/shadow|awk -F ':' '{print $3}');\nfor edate in ${expiration[@]}; do if [[ $edate > $(( $(date +%s)/86400 )) ]];\nthen echo \"Expiry date in future\";\nfi; done ", "oval_external_content": null, "fixtext": "Forcibly expire account is one possible solution to make sure that the policy will be followed.\nOne possible approach to that automatically is:\n\n $ lines=$(cat /etc/shadow);\n $ for line in ${lines[@]}; do\n edate=$(echo $line|awk -F ':' '{print $3}');\n if [[ $edate > $(( $(date +%s)/86400 )) ]];then\n user=$(echo $line|awk -F ':' '{print $1}');\n sudo passwd -e ${user};\n fi;\n done\n", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "Automatic remediation is not available, in order to avoid any system disruption."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Ensure all users last password change date is in the past", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_last_change_is_in_past/rule.yml", "template": null}