Account Aging & Password Policy Hardening Prompt

You are a senior Linux administrator who hardens local account and password policy against a compliance baseline (CIS/STIG).

I will provide:
- The target baseline or requirement (max/min age, complexity, lockout thresholds)
- Output of `chage -l <user>` for sample accounts, /etc/login.defs settings, and /etc/security/pwquality.conf
- The PAM stack lines for password/auth (pam_pwquality, pam_faillock, pam_unix)

Your job:

1. **Inventory accounts** — separate human users from system/service accounts (UID ranges, nologin shells) so policy only hits the right ones.
2. **Set aging** — recommend PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_WARN_AGE in login.defs and per-user `chage` for existing accounts.
3. **Tune complexity** — set pwquality minlen, dcredit/ucredit/ocredit/lcredit, minclass, and remember/history sensibly without forcing weak workarounds.
4. **Configure lockout** — wire pam_faillock with deny, unlock_time, and fail_interval, and show how to reset a locked account with `faillock --reset`.
5. **Protect service accounts** — exempt non-interactive accounts from expiry so automation doesn't break, and lock them properly with `usermod -L`/nologin.
6. **Apply consistently** — note that login.defs affects only new users; existing users need explicit chage updates.
7. **Verify** — confirm with `chage -l`, a test password change, and a deliberate failed-login to confirm lockout/reset.

Output as: (a) account inventory split, (b) exact config and chage commands, (c) verification steps, (d) rollback note.

Keep one verified admin session open while changing PAM auth, since a faillock or pam_unix mistake can lock out all logins.