AUTH-9286: PASS_MIN_DAYS reported as not configured when set to 0 and PASS_MAX_DAYS reported as not configured when set to 99999

[alexander-krug]

Describe the bug In the test AUTH-9286, Lynis checks, whether PASS_MIN_DAYS is missing or set to the default which is 0. If either is true, Lynis reports "Result: password minimum age is not configured". In the same test, Lynis also check, whether PASS_MAX_DAYS is missing or set to the default which is 99999. If either is true, Lynis reports "Result: password aging limits are not configured".

Version

• OS: SLES 15
• Lynis version 3.0.6

Expected behavior If PASS_MIN_DAYS is set to 0 in /etc/login.defs I expect Lynis to either report no issue or report, that it is recommended to increase the password minimum age beyond the default of 0. Reporting that password minimum age is not configured is confusing. The same goes for PASS_MAX_DAYS set to 99999, reporting that password maximum age is not configured.

Output x

Additional context The relevant code cited in the first few lines is in the file "tests_authentication" and starts at line 973 and 987, respectively: line 973 (PASS_MIN_DAYS ): if [ -z "${FIND}" -o "${FIND}" = "0" ] ... line 987 (PASS_MAX_DAYS): if [ -z "${FIND}" -o "${FIND}" = "99999" ] ...

[mboelen]

Thanks for reporting.

It reports that one or both items are not configured, as they are still at their default. Now this subject of password aging is highly debated. Newer guidelines tell to focus on password strength instead of a regular change. So in that line it makes sense that no suggestion is needed when one has their settings still at the default.

Thoughts?