mediumaccess-controlverified ✓
Ensure all users last password change date is in the past
password-change-past · RHEL ≥ 9 · 1 impl
Description
All user password change dates should be in the past, not in the future, which could indicate tampering with shadow file.
Rationale
A future password change date could allow an attacker to prevent password expiration from taking effect.
Check → Remediate
Checkcommand
# Get current days since epoch
today=$(( $(date +%s) / 86400 ))
future_dates=""
while IFS=: read -r user passwd lastchg rest; do
# Skip locked/disabled accounts and empty lastchg
[ -z "$lastchg" ] && continue
[ "$lastchg" = "0" ] && continue
echo "$passwd" | grep -qE '^[!*]' && continue
if [ "$lastchg" -gt "$today" ] 2>/dev/null; then
future_dates="$future_dates $user"
fi
done < /etc/shadow
if [ -n "$future_dates" ]; then
echo "FAIL: Users with future password change dates:$future_dates"
exit 1
fi
echo "OK: All password change dates are in the past"
exit 0
- expected_exit:
- 0
Remediatemanual
- note:
- Investigate and fix accounts with future password change dates in /etc/shadow
Framework references
CIS
rhel9 5.4.1.6rhel10 5.4.1.6
NIST 800-53
IA-5
Live verification
rhel10:checkrhel9:check
#password#shadow#security#audit