Title

Operating systems must enforce a 60-day maximum password lifetime restriction. (Cat II impact)

Discussion

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Satisfies: SRG-OS-000076-GPOS-00044

Check Content

Verify operating system enforces a 60-day maximum password lifetime restriction. If it does not, this is a finding. $ cat /etc/login.conf Ensure "passwordtime" is set under the "default" section and any other sections in use. If it is not set or is set to more than 60d, this is a finding.

Fix Text

Configure operating system to enforce a 60-day maximum password lifetime restriction.

Additional Identifiers

Rule ID:

Vulnerability ID: V-440

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.