← Rules Catalog
mediumaccess-controlverified rollback-safe

Set maximum password age

login-defs-pass-max-days · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl

Description

The PASS_MAX_DAYS parameter in /etc/login.defs defines the maximum number of days a password may be used before it must be changed.

Rationale

Requiring regular password changes reduces the window of opportunity for an attacker to use a compromised password. 365 days is a reasonable balance between security and usability.

Check → Remediate

Checkconfig_value
delimiter:
path:
/etc/login.defs
key:
PASS_MAX_DAYS
expected:
{{ login_defs_pass_max_days }}
comparator:
<=
Remediateconfig_set
path:
/etc/login.defs
key:
PASS_MAX_DAYS
value:
{{ login_defs_pass_max_days }}

Framework references

CIS

rhel8 5.4.1.1rhel9 5.4.1.1rhel10 5.4.1.1ubuntu24 5.4.1.1ubuntu22 5.4.1.1

STIG

V-258041 / RHEL-09-411010V-230366V-270731 / UBTU-24-400310V-260546 / UBTU-22-411030V-281169 / RHEL-10-600100

NIST 800-53

IA-5(1)(d)

Live verification

rhel10:checkrhel8:checkrhel9:checkubuntu22:checkubuntu24:checkubuntu26:check
#password#authentication#user-accounts#login-defs