User passwords must be changed at least every 60 days.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-11976	GEN000700	SV-38247r3_rule	IAIA-1 IAIA-2	Medium

Description
Limiting the lifespan of authenticators limits the period of time an unauthorized user has access to the system while using compromised credentials and reduces the period of time available for password guessing attacks to run against a single password.

STIG	Date
HP-UX 11.23 Security Technical Implementation Guide	2015-12-02

Details

Check Text ( C-36288r3_chk )
For Trusted Mode: Check the exptm field for each user, or for all accounts: # getprpw -r -m exptm # logins -o -x \| awk -F: '{print $1” “$11}' If the exptm attribute is set equal to -1, 0, or greater than 60 for any user, this is a finding. For SMSE: Check the PASSWORD_MAXDAYS setting. The command and an example output is seen directly below: # egrep “PASSWORD_MAXDAYS\|PASSWORD_WARNDAYS” /etc/default/security /var/adm/userdb/* Example output from the above command, with the correctly assigned attribute values. Note that PASSWORD_MAXDAYS may deviate from 60. Illegal values include 0 (no warning). PASSWORD_MAXDAYS attribute exceptions that must not be used are 1-7 (values less than or equal to the required PASSWORD_WARNDAYS attribute setting): PASSWORD_MAXDAYS=60 PASSWORD_WARNDAYS=7 If the above attributes are either missing or not set per the above attribute values (exceptions noted above), this is a finding.

Check Text ( C-36288r3_chk )

For Trusted Mode:
Check the exptm field for each user, or for all accounts:
# getprpw -r -m exptm
# logins -o -x | awk -F: '{print $1” “$11}'

If the exptm attribute is set equal to -1, 0, or greater than 60 for any user, this is a finding.

For SMSE:
Check the PASSWORD_MAXDAYS setting. The command and an example output is seen directly below:
# egrep “PASSWORD_MAXDAYS|PASSWORD_WARNDAYS” /etc/default/security /var/adm/userdb/*

Example output from the above command, with the correctly assigned attribute values. Note that PASSWORD_MAXDAYS may deviate from 60. Illegal values include 0 (no warning). PASSWORD_MAXDAYS attribute exceptions that must not be used are 1-7 (values less than or equal to the required PASSWORD_WARNDAYS attribute setting):
PASSWORD_MAXDAYS=60
PASSWORD_WARNDAYS=7

If the above attributes are either missing or not set per the above attribute values (exceptions noted above), this is a finding.

Fix Text (F-31545r2_fix)
For Trusted Mode: Set the password maximum days field to 60 for all user accounts. # passwd -x 60 For SMSE: Note: There may be additional package/bundle updates that must be installed to support attributes in the /etc/default/security file. Use the SAM/SMH interface (/etc/default/security file) and/or the userdbset command (/var/adm/userdb/* files) to update the PASSWORD_MAXDAYS attribute. See the below example: PASSWORD_MAXDAYS=60 PASSWORD_WARNDAYS=7 Note: Never use a text editor to modify any /var/adm/userdb database file. The database contains checksums and other binary data, and editors (vi included) do not follow the file locking conventions that are used to control access to the database. If manually editing the /etc/default/security file, save any change(s) before exiting the editor.

Fix Text (F-31545r2_fix)

For Trusted Mode:
Set the password maximum days field to 60 for all user accounts.
# passwd -x 60

For SMSE:
Note: There may be additional package/bundle updates that must be installed to support attributes in the /etc/default/security file.

Use the SAM/SMH interface (/etc/default/security file) and/or the userdbset command (/var/adm/userdb/* files) to update the PASSWORD_MAXDAYS attribute. See the below example:
PASSWORD_MAXDAYS=60
PASSWORD_WARNDAYS=7

Note: Never use a text editor to modify any /var/adm/userdb database file. The database contains checksums and other binary data, and editors (vi included) do not follow the file locking conventions that are used to control access to the database.

If manually editing the /etc/default/security file, save any change(s) before exiting the editor.