ansible-hardening/doc/metadata/rhel7/V-71931.rst

---id: V-71931 status: opt-in tag: accounts ---

Although the STIG requires that a maximum password lifetime is set for all interactive user accounts, the security benefits of this configuration are debatable. The draft of NIST Publication 800-63B argues that password rotation may reduce overall security in some situations.

Deployers can opt-in for this change by setting the following Ansible variable:

security_set_maximum_password_lifetime: yes

The tasks will examine each interactive user account and set the maximum password age if the existing setting is not equal to 60 days.