Modify Salt Master password expiration

Modify Salt Master password expiration

Due to CIS 5.4.1.1, the Salt Master node password expiration is set to maximum 90 days with a subsequent access lock if the password is not updated. As a result, if the user does not update the password, even if PasswordAuthentication is disabled, access to the Salt Master node may be lost. Perform the following steps to either disable CIS 5.4.1.1 or update the time stamp of the last password change.

To modify the Salt Master node password expiration:

  • For MCP versions before the 2019.2.6 maintenance update, disable CIS 5.4.1.1:

    1. Log in to the Salt Master node.

    2. Choose from the following options:

      • Disable CIS 5.4.1.1 on all nodes for all users:

        salt '*' cmd.run "getent passwd|awk -F':' '{print \$1}'|xargs -I{} chage -M 99999 -m 7 {}"
        
      • Disable CIS 5.4.1.1 for a particular user:

        salt '*' cmd.run "chage -M 99999 -m 7 <account>"
        
    3. Run chage -l <account> to verify that Password expires is set to never and Maximum number of days between password change is set to 99999. For example:

      chage -l <account>
      Last password change                    : Jan 29, 2020
      Password expires                    : never
      Password inactive                   : never
      Account expires                     : never
      Minimum number of days between password change      : 7
      Maximum number of days between password change      : 99999
      Number of days of warning before password expires   : 7
      
  • For MCP versions starting from the 2019.2.6 maintenance update, update the time stamp of the last password change using the helper function. The helper does not update the password itself. Update the time stamp using the helper function every 30 days or set a cron job to update the time stamp automatically.

    1. Log in to the Salt Master node.

    2. Choose from the following options:

      • Update the time stamp of the last password change for all users:

        salt '*' sharedlib.call cis.fix_last_password_change
        
      • Update the time stamp of the last password change for particular users:

        salt '*' sharedlib.call cis.fix_last_password_change <account1> [<account2>]
        
    3. Run chage -l <account> to verify that Last password change is set to the current date and Password expires is set to the date 90 days after the current one. For example:

      chage -l <account>
      Last password change                    : Jan 29, 2020
      Password expires                    : Apr 28, 2020
      Password inactive                   : never
      Account expires                     : never
      Minimum number of days between password change      : 7
      Maximum number of days between password change      : 90
      Number of days of warning before password expires   : 7
      
    4. Optional. Set a cron job to automatically update the time stamp every 30 days:

      1. Run crontab -e.

      2. Schedule the cron job:

        0 1 1 * * salt '*' sharedlib.call cis.fix_last_password_change <account1>