Check: OL6-00-000053
Oracle Linux 6 STIG:
OL6-00-000053
(in versions v2 r7 through v1 r9)
Title
User passwords must be changed at least every 60 days. (Cat II impact)
Discussion
Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.
Check Content
To check the maximum password age, run the command: $ grep PASS_MAX_DAYS /etc/login.defs The DoD requirement is 60. If it is not set to the required value, this is a finding.
Fix Text
To specify password maximum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately: PASS_MAX_DAYS [DAYS] The DoD requirement is 60.
Additional Identifiers
Rule ID: SV-208828r793613_rule
Vulnerability ID: V-208828
Group Title: SRG-OS-000076
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000199 |
The information system enforces maximum password lifetime restrictions. |
Controls
Number | Title |
---|---|
IA-5 (1) |
Password-Based Authentication |