UCF STIG Viewer Logo

During a password change, the system must determine if password aging attributes are inherited from the /etc/default/security file attributes when no password aging is specified in the shadow file for local users.


Overview

Finding ID Version Rule ID IA Controls Severity
V-40492 GEN000000-HPUX0450 SV-52481r1_rule ECSC-1 Medium
Description
Password aging attributes are stored in /etc/default/security and /etc/shadow. Anytime a password aging policy is changed, policy requirements are updated in /etc/default/security. If the system is allowed to override or ignore updates made to /etc/default/security, deprecated password aging policies will remain intact and never enforce newer requirements.
STIG Date
HP-UX SMSE Security Technical Implementation Guide 2014-02-28

Details

Check Text ( C-47028r1_chk )
For Trusted Mode:
If the system is operating in Trusted Mode, this check is not applicable.

For SMSE:
Check the OVERRIDE_SYSDEF_PWAGE attribute setting.
# grep OVERRIDE_SYSDEF_PWAGE /etc/default/security

If the OVERRIDE_SYSDEF_PWAGE attribute is missing or not set to 0, this is a finding.
Fix Text (F-45441r1_fix)
If the system is operating in Trusted Mode, no fix is required.

For SMSE:
Note: There may be additional package/bundle updates that must be installed to support attributes in the /etc/default/security file.

Use the SAM/SMH interface (/etc/default/security file) to update the OVERRIDE_SYSDEF_PWAGE attribute. See the below example:
OVERRIDE_SYSDEF_PWAGE=0

Note: If manually editing the /etc/default/security file, save any change(s) before exiting the editor.