Set Existing Passwords Warning Age

Docs > Datadog Security > OOTB Rules > Set Existing Passwords Warning Age

Classification:

compliance

Framework:

Control:

Description

To configure how many days prior to password expiration that a warning will be issued to users, run the command:

$ sudo chage --warndays 7 USER

The DoD requirement is 7, and CIS recommendation is no less than 7 days. This profile requirement is 7.

Rationale

Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

var\_accounts\_password\_warn\_age\_login\_defs='7'


while IFS= read -r i; do
 chage --warndays $var\_accounts\_password\_warn\_age\_login\_defs $i
done < <(awk -v var="$var\_accounts\_password\_warn\_age\_login\_defs" -F: '(($6 < var || $6 == "") && $2 ~ /^\$/) {print $1}' /etc/shadow)

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: XCCDF Value var\_accounts\_password\_warn\_age\_login\_defs # promote to variable
 set\_fact:
 var\_accounts\_password\_warn\_age\_login\_defs: !!str 7
 tags:
 - always

- name: Set Existing Passwords Warning Age - Collect Users With Incorrect Number of
 Days of Warning Before Password Expires
 ansible.builtin.command:
 cmd: awk -F':' '(($6 < {{ var\_accounts\_password\_warn\_age\_login\_defs }} || $6 ==
 "") && $2 ~ /^\$/) {print $1}' /etc/shadow
 register: result\_pass\_warn\_age\_user\_names
 changed\_when: false
 tags:
 - CCE-86913-1
 - NIST-800-53-CM-6(a)
 - NIST-800-53-IA-5(1)(d)
 - NIST-800-53-IA-5(f)
 - accounts\_password\_set\_warn\_age\_existing
 - configure\_strategy
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Set Existing Passwords Warning Age - Ensure the Number of Days of Warning
 Before Password Expires
 ansible.builtin.command:
 cmd: chage --warndays {{ var\_accounts\_password\_warn\_age\_login\_defs }} {{ item
 }}
 with\_items: '{{ result\_pass\_warn\_age\_user\_names.stdout\_lines }}'
 when: result\_pass\_warn\_age\_user\_names.stdout\_lines | length > 0
 tags:
 - CCE-86913-1
 - NIST-800-53-CM-6(a)
 - NIST-800-53-IA-5(1)(d)
 - NIST-800-53-IA-5(f)
 - accounts\_password\_set\_warn\_age\_existing
 - configure\_strategy
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed