mediumaccess-controlunverified
Ensure existing passwords have a minimum lifetime of 1 day
shadow-password-min-age · RHEL ≥ 8 · 1 impl
Description
Every interactive account (UID >= 1000) with a password must have a minimum password age (field 4 of /etc/shadow) of at least 1 day.
Rationale
A zero minimum age lets a user cycle rapidly through passwords to defeat history enforcement and return to a preferred password.
Check → Remediate
Checkcommand
fail=0
while IFS=: read -r user _ uid _ _ _ _; do
[ "$uid" -ge 1000 ] 2>/dev/null || continue
entry=$(awk -F: -v u="$user" '$1==u {print $2":"$4}' /etc/shadow)
hash=${entry%%:*}; minage=${entry##*:}
case "$hash" in ''|'!'*|'*'*) continue ;; esac
if [ -z "$minage" ] || [ "$minage" -lt 1 ] 2>/dev/null; then
echo "FAIL: $user min password age '${minage:-unset}' (must be >=1)"; fail=1
fi
done < /etc/passwd
[ "$fail" -eq 0 ] && { echo "OK: interactive accounts have min age >=1"; exit 0; }
exit 1
- expected_exit:
- 0
Remediatemanual
- note:
- chage -m 1 <user>; also set PASS_MIN_DAYS 1 in /etc/login.defs.
Framework references
STIG
V-281186 / RHEL-10-600270V-258105 / RHEL-09-611080
NIST 800-53
IA-5
#passwords#aging#min-age#shadow#stig