OL 8 user account passwords must have a 60-day maximum password lifetime restriction.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-248696	OL08-00-020200	SV-248696r1038967_rule	CCI-004066	medium
Description
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If OL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that OL 8 passwords could be compromised.
STIG			Date
Oracle Linux 8 Security Technical Implementation Guide			2025-05-13

Related Frameworks

6 paths across 3 frameworks

NIST 800-531 mapping

IA-5(1)

1.00

DISA · 2 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent

NIST 800-1714 mappings

3.5.10

1.00

DISA · 2 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

3.5.7

1.00

DISA · 2 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

3.5.8

1.00

DISA · 2 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

3.5.9

1.00

DISA · 2 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

CCI1 mapping

CCI-004066

1.00

DISA · 2 · disa_xccdf · related

Details

Check Text (C-248696r1038967_chk)

Verify that OL 8 enforces a 60-day maximum password lifetime for new user accounts by running the following command: $ sudo grep -i pass_max_days /etc/login.defs PASS_MAX_DAYS 60 If the "PASS_MAX_DAYS" parameter value is greater than "60", or commented out, this is a finding.

Fix Text (F-52084r779653_fix)

Configure OL 8 to enforce a 60-day maximum password lifetime. Add or modify the following line in the "/etc/login.defs" file: PASS_MAX_DAYS 60