2025-08-19 18:03:12 +05:30
id : password-min-days
2025-06-18 23:58:37 -07:00
info :
name : Ensure Minimum Password Days is Configured
author : Th3l0newolf
severity : medium
description : |
2025-08-19 18:03:12 +05:30
The PASS_MIN_DAYS setting in /etc/login.defs defines the minimum number of days required between password changes.This prevents users from rapidly cycling through passwords to bypass password history requirements.
2025-06-18 23:58:37 -07:00
remediation : |
2025-08-19 18:38:32 +05:30
Edit /etc/login.defs and ensure the line is set to: PASS_MIN_DAYS 1 (or another value greater than 0).Verify the change with : grep -Pi -- '^\h*PASS_MIN_DAYS\h+\d+\b' /etc/login.defs
2025-06-18 23:58:37 -07:00
reference :
- https://www.cisecurity.org/benchmark/ubuntu_linux
metadata :
verified : true
2025-08-28 23:41:32 +05:30
tags : cis,local,cisecurity,audit,linux,ubuntu,password
2025-06-18 23:58:37 -07:00
self-contained : true
code :
- engine :
- bash
args :
- "-c"
- |
MIN_DAYS_LINE=$(grep -Pi -- '^\h*PASS_MIN_DAYS\h+\d+\b' /etc/login.defs | head -n1)
if [ -n "$MIN_DAYS_LINE" ]; then
VALUE=$(echo "$MIN_DAYS_LINE" | awk '{print $2}')
if [ "$VALUE" -gt 0 ]; then
2025-08-19 18:03:12 +05:30
echo "[password-min-days-check:Policy-Pass] [PASS_MIN_DAYS is $VALUE (valid)] [CIS_PASS]"
2025-06-18 23:58:37 -07:00
else
2025-08-19 18:03:12 +05:30
echo "[password-min-days-check:Policy-Fail] [PASS_MIN_DAYS is $VALUE (invalid)] [CIS_FAIL]"
2025-06-18 23:58:37 -07:00
fi
else
2025-08-19 18:03:12 +05:30
echo "[password-min-days-check:Policy-Fail] [PASS_MIN_DAYS not set or malformed] [CIS_FAIL]"
2025-06-18 23:58:37 -07:00
fi
matchers :
- type : word
name : policy-pass
words :
- "Policy-Pass"
- type : word
name : policy-fail
words :
2025-08-21 12:45:03 +00:00
- "Policy-Fail"
2025-08-29 10:06:03 +00:00
# digest: 4a0a004730450220330c91b891028088a62cf87539435efb09e867da81d82656fe153f2032b450c8022100f5c059a68d37d56fbb607417af39f2cdad76a318f41d466fb1d89e57edf1d05c:922c64590222798bb761d5b6d8e72950
