max_password_age

This built-in function ensures that the maximum password age (e.g., the time when users are forced to change their passwords) is in the defined range.

Having a maximum password age prevents users from keeping the same password for multiple years. Changing passwords often helps prevent an attacker possessing a password from using it indefinitely.

Operating System	Implementation
Linux	The variable PASS_MAX_DAYS is defined in `/etc/login.defs`.
Solaris	The variable MAXWEEKS in `/etc/default/passwd` defines the maximum number of weeks a password can be used.
HP-UX	This value is controlled by the variable PASSWORD_MAXDAYS in `/etc/default/security`.
macOS	The option “maxMinutesUntilChangePassword” of the password policy (as set through the `pwpolicy` tool) can be used to set this value.

Usage

<item>

name: "max_password_age"

description: "This check reports agents that have a system default maximum password age greater than the specified value and agents that do not have a maximum password age setting."

value: "<min>..<max>"

</item>

Example

<item>

name: "max_password_age"

description: "Make sure a password can not be used for more than 21 days"

value: "1..21"

</item>