The Oracle Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-221684	OL07-00-010260	SV-221684r1038967_rule	CCI-000199	medium
Description
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.
STIG			Date
Oracle Linux 7 Security Technical Implementation Guide			2025-05-08

Related Frameworks

6 paths across 3 frameworks

NIST 800-531 mapping

IA-5(1)

1.00

DISA · 3 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent

NIST 800-1714 mappings

3.5.10

1.00

DISA · 3 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

3.5.7

1.00

DISA · 3 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

3.5.8

1.00

DISA · 3 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

3.5.9

1.00

DISA · 3 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

CCI1 mapping

CCI-000199

1.00

DISA · 3 · disa_xccdf · related

Details

Check Text (C-221684r1038967_chk)

Check whether the maximum time period for existing passwords is restricted to 60 days. # awk -F: '$5 > 60 {print $1 " " $5}' /etc/shadow If any results are returned that are not associated with a system account, this is a finding.

Fix Text (F-23388r419125_fix)

Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction. # chage -M 60 [user]