The operating system must enforce minimum password lifetime restrictions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-47953 | SOL-11.1-040030 | SV-60825r2_rule | Medium |
| Description |
|---|
| Passwords need to be changed at specific policy-based intervals; however, if the information system or application allows the user to immediately and continually change their password, then the password could be repeatedly changed in a short period of time, defeating the organization's policy regarding password reuse. |
| STIG | Date |
|---|---|
| Solaris 11 SPARC Security Technical Implementation Guide | 2017-03-02 |
Details
| Check Text ( C-50389r3_chk ) |
|---|
| The root role is required. Check whether the minimum time period between password changes for each user account is 1 day or greater. # awk -F: '$4 < 1 {print $1}' /etc/shadow If any results are returned that are not associated with a system account, this is a finding. Check that /etc/default/password is configured to minimum password change time of 1 week. # grep "^MINWEEKS=" /etc/default/passwd If the command does not report MINWEEKS=1, this is a finding. |
| Fix Text (F-51565r1_fix) |
|---|
| The root role is required. # pfedit /etc/default/passwd file. Locate the line containing: MINWEEKS Change the line to read: MINWEEKS=1 Set the per-user minimum password change times by using the following command on each user account. # passwd -n [number of days] [accountname] |