mediumaccess-controlverified ✓rollback-safe
Set maximum password age
login-defs-pass-max-days · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl
Description
The PASS_MAX_DAYS parameter in /etc/login.defs defines the maximum number of days a password may be used before it must be changed.
Rationale
Requiring regular password changes reduces the window of opportunity for an attacker to use a compromised password. 365 days is a reasonable balance between security and usability.
Check → Remediate
Checkconfig_value
- delimiter:
- path:
- /etc/login.defs
- key:
- PASS_MAX_DAYS
- expected:
- {{ login_defs_pass_max_days }}
- comparator:
- <=
Remediateconfig_set
- path:
- /etc/login.defs
- key:
- PASS_MAX_DAYS
- value:
- {{ login_defs_pass_max_days }}
Framework references
CIS
rhel8 5.4.1.1rhel9 5.4.1.1rhel10 5.4.1.1ubuntu24 5.4.1.1ubuntu22 5.4.1.1
STIG
V-258041 / RHEL-09-411010V-230366V-270731 / UBTU-24-400310V-260546 / UBTU-22-411030V-281169 / RHEL-10-600100
NIST 800-53
IA-5(1)(d)
Live verification
rhel10:checkrhel8:checkrhel9:checkubuntu22:checkubuntu24:checkubuntu26:check
#password#authentication#user-accounts#login-defs