UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

System and application account passwords must be changed at least annually.


Overview

Finding ID Version Rule ID IA Controls Severity
V-92247 OL6-00-000055 SV-102349r1_rule Medium
Description
Any password, no matter how complex, can eventually be cracked. Therefore, system and application account passwords need to be changed periodically. If an organization fails to change the system and application account passwords at least annually, there is the risk that the account passwords could be compromised.
STIG Date
Oracle Linux 6 Security Technical Implementation Guide 2019-03-20

Details

Check Text ( C-91413r1_chk )
Obtain a list of approved system and application accounts from the ISSO.

For each system and application account identified, run the following command:

# chage -l

Last password change : Nov 05, 2018
Password expires : Nov 04, 2019
Password inactive : Dec 10, 2019
Account expires : never
Minimum number of days between password change : 1
Maximum number of days between password change : 365
Number of days of warning before password expires : 7

If "Maximum number of days between password change" is greater than "365", this is a finding.

If the date of "Last password change" exceeds 365 days, this is a finding.

If the date of "Password expires" is greater than 365 days from the date of "Last password change", this is a finding.
Fix Text (F-98455r1_fix)
Set the "Maximum number of days between password change" to "365":

# chage -M 365

Change the password for the system/application account:

#passwd