mediumaccess-controlunverified
Ensure existing passwords have a maximum lifetime of 60 days
shadow-password-max-age · RHEL ≥ 8 · 1 impl
Description
Every interactive account (UID >= 1000) that has a password must have a maximum password age (field 5 of /etc/shadow) between 1 and 60 days. A value greater than 60, or 0/blank (never expires), is a finding.
Rationale
Bounding password lifetime limits the window in which a compromised credential remains useful. An unset or over-long maximum age leaves stale passwords valid indefinitely.
Check → Remediate
Checkcommand
fail=0
# Interactive accounts (UID >= 1000) that have a real password hash.
while IFS=: read -r user _ uid _ _ _ _; do
[ "$uid" -ge 1000 ] 2>/dev/null || continue
entry=$(awk -F: -v u="$user" '$1==u {print $2":"$5}' /etc/shadow)
hash=${entry%%:*}
maxage=${entry##*:}
case "$hash" in
''|'!'*|'*'*) continue ;; # no password / locked
esac
if [ -z "$maxage" ] || [ "$maxage" -le 0 ] 2>/dev/null || [ "$maxage" -gt 60 ] 2>/dev/null; then
echo "FAIL: $user has max password age '${maxage:-unset}' (must be 1-60)"
fail=1
fi
done < /etc/passwd
if [ "$fail" -eq 0 ]; then
echo "OK: all interactive account passwords expire within 60 days"
exit 0
fi
exit 1
- expected_exit:
- 0
Remediatemanual
- note:
- Set a 60-day maximum password age on each affected account: chage -M 60 <user> Also confirm PASS_MAX_DAYS 60 is set in /etc/login.defs for new accounts.
Framework references
STIG
V-281170 / RHEL-10-600110V-258042 / RHEL-09-411015V-230367 / RHEL-08-020210
NIST 800-53
IA-5
#passwords#aging#max-age#shadow#stig