{"description": "The file <tt>/etc/login.defs</tt> controls several\npassword-related settings. Programs such as <tt>passwd</tt>,\n<tt>su</tt>, and\n<tt>login</tt> consult <tt>/etc/login.defs</tt> to determine\nbehavior with regard to password aging, expiration warnings,\nand length. See the man page <tt>login.defs(5)</tt> for more information.\n<br /><br />\nUsers should be forced to change their passwords, in order to\ndecrease the utility of compromised passwords. However, the need to\nchange passwords often should be balanced against the risk that\nusers will reuse or write down passwords if forced to change them\ntoo often. Forcing password changes every 90-360 days, depending on\nthe environment, is recommended. Set the appropriate value as\n<tt>PASS_MAX_DAYS</tt> and apply it to existing accounts with the\n<tt>-M</tt> flag.\n<br /><br />\nThe <tt>PASS_MIN_DAYS</tt> (<tt>-m</tt>) setting prevents password\nchanges for 7 days after the first change, to discourage password\ncycling. If you use this setting, train users to contact an administrator\nfor an emergency password change in case a new password becomes\ncompromised. The <tt>PASS_WARN_AGE</tt> (<tt>-W</tt>) setting gives\nusers 7 days of warnings at login time that their passwords are about to expire.\n<br /><br />\nFor example, for each existing human user <i>USER</i>, expiration parameters\ncould be adjusted to a 180 day maximum password age, 7 day minimum password\nage, and 7 day warning period with the following command:\n<pre>$ sudo chage -M 180 -m 7 -W 7 USER</pre>", "warnings": [], "requires": [], "conflicts": [], "values": ["var_accounts_maximum_age_login_defs", "var_accounts_maximum_age_root", "var_accounts_minimum_age_login_defs", "var_accounts_password_minlen_login_defs", "var_accounts_password_warn_age_login_defs"], "groups": {}, "rules": ["accounts_maximum_age_login_defs", "accounts_minimum_age_login_defs", "accounts_password_minlen_login_defs", "accounts_password_set_max_life_existing", "accounts_password_set_max_life_root", "accounts_password_set_min_life_existing", "accounts_password_set_warn_age_existing", "accounts_password_warn_age_login_defs", "accounts_set_post_pw_existing"], "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "title": "Set Password Expiration Parameters", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/group.yml"}