The operating system must enforce minimum password lifetime restrictions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-216323	SOL-11.1-040030	SV-216323r986396_rule		Medium

Description
Passwords need to be changed at specific policy-based intervals; however, if the information system or application allows the user to immediately and continually change their password, then the password could be repeatedly changed in a short period of time, defeating the organization's policy regarding password reuse. Solaris 11.4 introduced new password security features that allow for a more granular approach to password duration parameters. The introduction of MAXDAYS, MINDAYS, and WARNDAYS allow the /etc/default/passwd configuration file to enforce a minimum password lifetime of a single day.

Description

Passwords need to be changed at specific policy-based intervals; however, if the information system or application allows the user to immediately and continually change their password, then the password could be repeatedly changed in a short period of time, defeating the organization's policy regarding password reuse. Solaris 11.4 introduced new password security features that allow for a more granular approach to password duration parameters. The introduction of MAXDAYS, MINDAYS, and WARNDAYS allow the /etc/default/passwd configuration file to enforce a minimum password lifetime of a single day.

STIG	Date
Solaris 11 SPARC Security Technical Implementation Guide	2024-05-30

Details

Check Text ( C-17559r986394_chk )
The root role is required. Check whether the minimum time period between password changes for each user account is 1 day or greater. Determine the OS version to be secured. # uname -v For Solaris 11, 11.1, 11.2, and 11.3: # logins -ox \|awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && $10 < "1" ) { print }' If output is returned and the listed account is accessed via direct logon, this is a finding. Check that /etc/default/password is configured to minimum password change time of one week. # grep "^MINWEEKS=" /etc/default/passwd If the command does not report MINWEEKS=1 or more, this is a finding. For Solaris 11.4 or newer: # logins -ox \|awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && $10 < "1" ) { print }' If output is returned and the listed account is accessed via direct logon, this is a finding. Check that /etc/default/password is configured to minimum password change time of 1 day. Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable. # grep "^MINDAYS=" /etc/default/passwd If the command does not report MINDAYS=1 or more, this is a finding. # grep "^MINWEEKS=" /etc/default/passwd If output is returned, this is a finding.

Check Text ( C-17559r986394_chk )

The root role is required.

Check whether the minimum time period between password changes for each user account is 1 day or greater.

Determine the OS version to be secured.
# uname -v

For Solaris 11, 11.1, 11.2, and 11.3:

# logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && $10 < "1" ) { print }'

If output is returned and the listed account is accessed via direct logon, this is a finding.

Check that /etc/default/password is configured to minimum password change time of one week.

# grep "^MINWEEKS=" /etc/default/passwd

If the command does not report MINWEEKS=1 or more, this is a finding.

For Solaris 11.4 or newer:

# logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && $10 < "1" ) { print }'

If output is returned and the listed account is accessed via direct logon, this is a finding.

Check that /etc/default/password is configured to minimum password change time of 1 day.
Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable.

# grep "^MINDAYS=" /etc/default/passwd

If the command does not report MINDAYS=1 or more, this is a finding.

# grep "^MINWEEKS=" /etc/default/passwd

If output is returned, this is a finding.

Fix Text (F-17557r986395_fix)
The root role is required. For Solaris 11, 11.1, 11.2, and 11.3: # pfedit /etc/default/passwd file. Locate the line containing: MINWEEKS Change the line to read: MINWEEKS=1 Set the per-user minimum password change times by using the following command on each user account. # passwd -n [number of days] [accountname] For Solaris 11.4 or newer: # pfedit /etc/default/passwd file. Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable. Search for MINDAYS. Change the line to read: MINDAYS=1 Search for MINWEEKS. Change the line to read: #MINWEEKS= Set the per-user minimum password change times by using the following command on each user account. # passwd -n [number of days] [accountname]

Fix Text (F-17557r986395_fix)

The root role is required.

For Solaris 11, 11.1, 11.2, and 11.3:

# pfedit /etc/default/passwd file.

Locate the line containing:

MINWEEKS

Change the line to read:

MINWEEKS=1

Set the per-user minimum password change times by using the following command on each user account.

# passwd -n [number of days] [accountname]

For Solaris 11.4 or newer:

# pfedit /etc/default/passwd file.
Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable.

Search for MINDAYS. Change the line to read:

MINDAYS=1

Search for MINWEEKS. Change the line to read:

#MINWEEKS=

Set the per-user minimum password change times by using the following command on each user account.

# passwd -n [number of days] [accountname]