← Rules Catalog
mediumaccess-controlverified

Ensure all users last password change date is in the past

password-change-past · RHEL ≥ 9 · 1 impl

Description

All user password change dates should be in the past, not in the future, which could indicate tampering with shadow file.

Rationale

A future password change date could allow an attacker to prevent password expiration from taking effect.

Check → Remediate

Checkcommand
# Get current days since epoch
today=$(( $(date +%s) / 86400 ))
future_dates=""

while IFS=: read -r user passwd lastchg rest; do
  # Skip locked/disabled accounts and empty lastchg
  [ -z "$lastchg" ] && continue
  [ "$lastchg" = "0" ] && continue
  echo "$passwd" | grep -qE '^[!*]' && continue

  if [ "$lastchg" -gt "$today" ] 2>/dev/null; then
    future_dates="$future_dates $user"
  fi
done < /etc/shadow

if [ -n "$future_dates" ]; then
  echo "FAIL: Users with future password change dates:$future_dates"
  exit 1
fi
echo "OK: All password change dates are in the past"
exit 0
expected_exit:
0
Remediatemanual
note:
Investigate and fix accounts with future password change dates in /etc/shadow

Framework references

CIS

rhel9 5.4.1.6rhel10 5.4.1.6

NIST 800-53

IA-5

Live verification

rhel10:checkrhel9:check
#password#shadow#security#audit