Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-216323 | SOL-11.1-040030 | SV-216323r603863_rule | Medium |
Description |
---|
Passwords need to be changed at specific policy-based intervals; however, if the information system or application allows the user to immediately and continually change their password, then the password could be repeatedly changed in a short period of time, defeating the organization's policy regarding password reuse. Solaris 11.4 introduced new password security features that allow for a more granular approach to password duration parameters. The introduction of MAXDAYS, MINDAYS, and WARNDAYS allow the /etc/default/passwd configuration file to enforce a minimum password lifetime of a single day. |
STIG | Date |
---|---|
Solaris 11 SPARC Security Technical Implementation Guide | 2020-12-08 |
Check Text ( C-17559r603861_chk ) |
---|
The root role is required. Check whether the minimum time period between password changes for each user account is 1 day or greater. Determine the OS version you are currently securing. # uname -v For Solaris 11, 11.1, 11.2, and 11.3: # logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && $10 < "1" ) { print }' If output is returned and the listed account is accessed via direct logon, this is a finding. Check that /etc/default/password is configured to minimum password change time of 1 week. # grep "^MINWEEKS=" /etc/default/passwd If the command does not report MINWEEKS=1 or more, this is a finding. For Solaris 11.4 or newer: # logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && $10 < "1" ) { print }' If output is returned and the listed account is accessed via direct logon, this is a finding. Check that /etc/default/password is configured to minimum password change time of 1 day. Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable. # grep "^MINDAYS=" /etc/default/passwd If the command does not report MINDAYS=1 or more, this is a finding. # grep "^MINWEEKS=" /etc/default/passwd If output is returned, this is a finding. |
Fix Text (F-17557r603862_fix) |
---|
The root role is required. For Solaris 11, 11.1, 11.2, and 11.3: # pfedit /etc/default/passwd file. Locate the line containing: MINWEEKS Change the line to read: MINWEEKS=1 Set the per-user minimum password change times by using the following command on each user account. # passwd -n [number of days] [accountname] For Solaris 11.4 or newer: # pfedit /etc/default/passwd file. Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable. Search for MINDAYS. Change the line to read: MINDAYS=1 Search for MINWEEKS. Change the line to read: #MINWEEKS= Set the per-user minimum password change times by using the following command on each user account. # passwd -n [number of days] [accountname] |