From 8fcc916a07454a53ef32241a563918abaf2a463a Mon Sep 17 00:00:00 2001
From: samson <sccxboy@gmail.com>
Date: Wed, 12 Sep 2018 04:47:02 +0800
Subject: [PATCH] Add 10.1.5 10.1.6 description to benchmark

---
 .../harbian_audit_Debian_9_Benchmark_v0.1.mkd | 51 ++++++++++++++++++-
 1 file changed, 50 insertions(+), 1 deletion(-)

diff --git a/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd b/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd
index 9b6b76f..fab86b6 100644
--- a/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd
+++ b/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd
@@ -352,7 +352,56 @@ If the "/etc/login.defs" configuration file does not exist or allows for passwor
 Configure the operating system to store only SHA512 encrypted representations of passwords. Add or update the following line in "/etc/login.defs": 
 ```
 ENCRYPT_METHOD SHA512
-````
+```
+
+## 10.1.5 Set accounts minimum password lifetime (Scored) 
+
+### Profile Applicability
+Level 3
+
+### Description
+Passwords must be restricted to a 24 hours/1 day minimum lifetime.
+
+### Rationale
+Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
+
+### Aduit
+Check whether the minimum time period between password changes for each user account is one day or greater.
+```
+# awk -F: '$4 < 1 {print $1}' /etc/shadow 
+```
+If any results are returned that are not associated with a system account, this is a finding.
+
+### Remediation
+Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime:
+```
+# chage -m 1 [username]
+```
+
+## 10.1.6 Set accounts maximum password lifetime (Scored) 
+
+### Profile Applicability
+Level 3
+
+### Description
+Existing passwords must be restricted to a 60-day maximum lifetime.
+
+### Rationale
+Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.   
+
+### Aduit
+Check whether the maximum time period for existing passwords is restricted to 60 days. 
+```
+# awk -F: '$5 > 60 {print $1}' /etc/shadow 
+```
+If any results are returned that are not associated with a system account, this is a finding.
+
+### Remediation
+Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction.
+```
+# chage -M 60 [username]
+```
+
 
 
 template