Skip to content

Ensure 'default_password_lifetime' Is Less Than Or Equal To '90'

Description

Password expiry provides passwords with a time bounded lifetime.

Rationale

This benchmark prevents a password being set for an indefinite period, therefore reducing the time available a compromised password is known to an attacker.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine mysql

Default Rule

const { checkRdsVersion, OK_SKIP_VERSION, getServerSetting } = module

/**
 * @param {Object} databaseSettings - database settings object
 * @param {Object} defaultPasswordLifetime - maximum lifetime for a default password
 * @returns {boolean} true if default_password_lifetime is less than or equal to desired lifetime (90 by default)
 */


function validate(databaseSettings, parameters = { defaultPasswordLifetime : "90" }) {
    supportedVersions = ["5.7"]
    const supported = checkRdsVersion(databaseSettings, supportedVersions)
    if (!supported){
        return OK_SKIP_VERSION
    }

    const settingName = "default_password_lifetime"
    const currentValue = getServerSetting(databaseSettings, settingName)
    const success = typeof currentValue === 'string' &&
                    Number(currentValue) <= Number(parameters.defaultPasswordLifetime)

    return {
        success,
    }
}

// invoke
// TODO: add support for parameters input type
validate(databaseSettings);