The PASS_WARN_AGE setting in /etc/login.defs defines the number of days before password expiration that users are warned.To comply with CIS Ubuntu Linux Benchmark, this value should be set to 7 to provide sufficient notice for users to change passwords.
PoC代码[已公开]
id: password-warn-age
info:
name: Ensure Password Expiration Warning Days is Configured
author: Th3l0newolf
severity: medium
description: |
The PASS_WARN_AGE setting in /etc/login.defs defines the number of days before password expiration that users are warned.To comply with CIS Ubuntu Linux Benchmark, this value should be set to 7 to provide sufficient notice for users to change passwords.
remediation: |
Edit /etc/login.defs and ensure the line is set to: PASS_WARN_AGE 7.Verify the change with: grep -Pi -- '^\h*PASS_WARN_AGE\h+\d+\b' /etc/login.defs
reference:
- https://www.cisecurity.org/benchmark/ubuntu_linux
metadata:
verified: true
tags: cis,local,cisecurity,audit,linux,ubuntu,password
self-contained: true
code:
- engine:
- bash
args:
- "-c"
- |
WARN_AGE_LINE=$(grep -Pi -- '^\h*PASS_WARN_AGE\h+\d+\b' /etc/login.defs | head -n1)
if [ -n "$WARN_AGE_LINE" ]; then
VALUE=$(echo "$WARN_AGE_LINE" | awk '{print $2}')
if [ "$VALUE" -eq 7 ]; then
echo "[password-warn-age-check:Policy-Pass] [PASS_WARN_AGE is $VALUE (valid)] [CIS_PASS]"
else
echo "[password-warn-age-check:Policy-Fail] [PASS_WARN_AGE is $VALUE (invalid)] [CIS_FAIL]"
fi
else
echo "[password-warn-age-check:Policy-Fail] [PASS_WARN_AGE not set or malformed] [CIS_FAIL]"
fi
matchers:
- type: word
name: policy-pass
words:
- "Policy-Pass"
- type: word
name: policy-fail
words:
- "Policy-Fail"
# digest: 4a0a00473045022015f03c2bbecc12ef5fd92faa8928633477ade84d8fcd8980daad1984cba9ce56022100bc5d09e37c69098da51ad12d5fe668c86785f76d2b1e1b19515f3018a73f9e8a:922c64590222798bb761d5b6d8e72950