Title

System and Application account passwords must be changed at least annually. (Cat II impact)

Discussion

Any password, no matter how complex, can eventually be cracked. Therefore, system and application account passwords need to be changed periodically. If an organization fails to change the system and application account passwords at least annually, there is the risk that the account passwords could be compromised.

Check Content

Obtain a list of approved system and application accounts from the ISSO. For each system and application account identified, run the following command: # chage -l <application_account> Last password change : Nov 05, 2018 Password expires : Nov 04, 2019 Password inactive : Dec 10, 2019 Account expires : never Minimum number of days between password change : 1 Maximum number of days between password change : 365 Number of days of warning before password expires : 7 If "Maximum number of days between password change" is greater than "365", this is a finding. If the date of "Last password change" exceeds 365 days, this is a finding. If the date of "Password expires" is greater than 365 days from the date of "Last password change", this is a finding.

Fix Text

Set the "Maximum number of days between password change" to "365": # chage -M 365 <application_account> Change the password for the system/application account: #passwd <application_account>

Additional Identifiers

Rule ID: SV-217891r603264_rule

Vulnerability ID: V-217891

Group Title: SRG-OS-000076

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.