Set Password Warning Age

Docs > Datadog Security > OOTB Rules > Set Password Warning Age

Classification:

compliance

Framework:

Control:

Description

To specify how many days prior to password expiration that a warning will be issued to users, edit the file /etc/login.defs and add or correct the following line:

PASS_WARN_AGE 7

The DoD requirement is 7. The profile requirement is 7.

Rationale

Setting the password warning age enables users to make the change at a practical time.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'login' 2>/dev/null | grep -q installed; then

var\_accounts\_password\_warn\_age\_login\_defs='7'


grep -q ^PASS\_WARN\_AGE /etc/login.defs && \
sed -i "s/PASS\_WARN\_AGE.\*/PASS\_WARN\_AGE\t$var\_accounts\_password\_warn\_age\_login\_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]
then
 echo -e "PASS\_WARN\_AGE\t$var\_accounts\_password\_warn\_age\_login\_defs" >> /etc/login.defs
fi

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi