← Rules Catalog
mediumaccess-controlunverified

Ensure existing passwords have a minimum lifetime of 1 day

shadow-password-min-age · RHEL ≥ 8 · 1 impl

Description

Every interactive account (UID >= 1000) with a password must have a minimum password age (field 4 of /etc/shadow) of at least 1 day.

Rationale

A zero minimum age lets a user cycle rapidly through passwords to defeat history enforcement and return to a preferred password.

Check → Remediate

Checkcommand
fail=0
while IFS=: read -r user _ uid _ _ _ _; do
  [ "$uid" -ge 1000 ] 2>/dev/null || continue
  entry=$(awk -F: -v u="$user" '$1==u {print $2":"$4}' /etc/shadow)
  hash=${entry%%:*}; minage=${entry##*:}
  case "$hash" in ''|'!'*|'*'*) continue ;; esac
  if [ -z "$minage" ] || [ "$minage" -lt 1 ] 2>/dev/null; then
    echo "FAIL: $user min password age '${minage:-unset}' (must be >=1)"; fail=1
  fi
done < /etc/passwd
[ "$fail" -eq 0 ] && { echo "OK: interactive accounts have min age >=1"; exit 0; }
exit 1
expected_exit:
0
Remediatemanual
note:
chage -m 1 <user>; also set PASS_MIN_DAYS 1 in /etc/login.defs.

Framework references

STIG

V-281186 / RHEL-10-600270V-258105 / RHEL-09-611080

NIST 800-53

IA-5
#passwords#aging#min-age#shadow#stig