The operating system must enforce minimum password lifetime restrictions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-47953	SOL-11.1-040030	SV-60825r2_rule		Medium

Description
Passwords need to be changed at specific policy-based intervals; however, if the information system or application allows the user to immediately and continually change their password, then the password could be repeatedly changed in a short period of time, defeating the organization's policy regarding password reuse.

STIG	Date
Solaris 11 SPARC Security Technical Implementation Guide	2017-06-21

Details

Check Text ( C-50389r3_chk )
The root role is required. Check whether the minimum time period between password changes for each user account is 1 day or greater. # awk -F: '$4 < 1 {print $1}' /etc/shadow If any results are returned that are not associated with a system account, this is a finding. Check that /etc/default/password is configured to minimum password change time of 1 week. # grep "^MINWEEKS=" /etc/default/passwd If the command does not report MINWEEKS=1, this is a finding.

Check Text ( C-50389r3_chk )

The root role is required.

Check whether the minimum time period between password changes for each user account is 1 day or greater.

# awk -F: '$4 < 1 {print $1}' /etc/shadow

If any results are returned that are not associated with a system account, this is a finding.

Check that /etc/default/password is configured to minimum password change time of 1 week.

# grep "^MINWEEKS=" /etc/default/passwd

If the command does not report MINWEEKS=1, this is a finding.

Fix Text (F-51565r1_fix)
The root role is required. # pfedit /etc/default/passwd file. Locate the line containing: MINWEEKS Change the line to read: MINWEEKS=1 Set the per-user minimum password change times by using the following command on each user account. # passwd -n [number of days] [accountname]