← Rules Catalog
mediumaccess-controlunverified

Ensure existing passwords have a maximum lifetime of 60 days

shadow-password-max-age · RHEL ≥ 8 · 1 impl

Description

Every interactive account (UID >= 1000) that has a password must have a maximum password age (field 5 of /etc/shadow) between 1 and 60 days. A value greater than 60, or 0/blank (never expires), is a finding.

Rationale

Bounding password lifetime limits the window in which a compromised credential remains useful. An unset or over-long maximum age leaves stale passwords valid indefinitely.

Check → Remediate

Checkcommand
fail=0
# Interactive accounts (UID >= 1000) that have a real password hash.
while IFS=: read -r user _ uid _ _ _ _; do
  [ "$uid" -ge 1000 ] 2>/dev/null || continue
  entry=$(awk -F: -v u="$user" '$1==u {print $2":"$5}' /etc/shadow)
  hash=${entry%%:*}
  maxage=${entry##*:}
  case "$hash" in
    ''|'!'*|'*'*) continue ;;   # no password / locked
  esac
  if [ -z "$maxage" ] || [ "$maxage" -le 0 ] 2>/dev/null || [ "$maxage" -gt 60 ] 2>/dev/null; then
    echo "FAIL: $user has max password age '${maxage:-unset}' (must be 1-60)"
    fail=1
  fi
done < /etc/passwd
if [ "$fail" -eq 0 ]; then
  echo "OK: all interactive account passwords expire within 60 days"
  exit 0
fi
exit 1
expected_exit:
0
Remediatemanual
note:
Set a 60-day maximum password age on each affected account: chage -M 60 <user> Also confirm PASS_MAX_DAYS 60 is set in /etc/login.defs for new accounts.

Framework references

STIG

V-281170 / RHEL-10-600110V-258042 / RHEL-09-411015V-230367 / RHEL-08-020210

NIST 800-53

IA-5
#passwords#aging#max-age#shadow#stig