id: password-min-days

info:
  name: Ensure Minimum Password Days is Configured
  author: Th3l0newolf
  severity: medium
  description: |
    The PASS_MIN_DAYS setting in /etc/login.defs defines the minimum number of days required between password changes.This prevents users from rapidly cycling through passwords to bypass password history requirements.
  remediation: |
    Edit /etc/login.defs and ensure the line is set to: PASS_MIN_DAYS 1 (or another value greater than 0).Verify the change with: grep -Pi -- '^\h*PASS_MIN_DAYS\h+\d+\b' /etc/login.defs
  reference:
    - https://www.cisecurity.org/benchmark/ubuntu_linux
  metadata:
    verified: true
  tags: cis,local,cisecurity,audit,linux,ubuntu,password

self-contained: true

code:
  - engine:
      - bash

    args:
      - "-c"
      - |
        MIN_DAYS_LINE=$(grep -Pi -- '^\h*PASS_MIN_DAYS\h+\d+\b' /etc/login.defs | head -n1)
        if [ -n "$MIN_DAYS_LINE" ]; then
          VALUE=$(echo "$MIN_DAYS_LINE" | awk '{print $2}')
          if [ "$VALUE" -gt 0 ]; then
            echo "[password-min-days-check:Policy-Pass] [PASS_MIN_DAYS is $VALUE (valid)] [CIS_PASS]"
          else
            echo "[password-min-days-check:Policy-Fail] [PASS_MIN_DAYS is $VALUE (invalid)] [CIS_FAIL]"
          fi
        else
          echo "[password-min-days-check:Policy-Fail] [PASS_MIN_DAYS not set or malformed] [CIS_FAIL]"
        fi

    matchers:
      - type: word
        name: policy-pass
        words:
          - "Policy-Pass"

      - type: word
        name: policy-fail
        words:
          - "Policy-Fail"
# digest: 4a0a004730450220330c91b891028088a62cf87539435efb09e867da81d82656fe153f2032b450c8022100f5c059a68d37d56fbb607417af39f2cdad76a318f41d466fb1d89e57edf1d05c:922c64590222798bb761d5b6d8e72950