User passwords must be changed at least every 60 days.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-216086	SOL-11.1-040010	SV-216086r646931_rule		Medium

Description
Limiting the lifespan of authenticators limits the period of time an unauthorized user has access to the system while using compromised credentials and reduces the period of time available for password-guessing attacks to run against a single password. Solaris 11.4 introduced new password security features that allow for a more granular approach to password duration parameters. The introduction of MAXDAYS, MINDAYS, and WARNDAYS allow the /etc/default/passwd configuration file to enforce a password change every 60 Days.

Description

Limiting the lifespan of authenticators limits the period of time an unauthorized user has access to the system while using compromised credentials and reduces the period of time available for password-guessing attacks to run against a single password. Solaris 11.4 introduced new password security features that allow for a more granular approach to password duration parameters. The introduction of MAXDAYS, MINDAYS, and WARNDAYS allow the /etc/default/passwd configuration file to enforce a password change every 60 Days.

STIG	Date
Solaris 11 X86 Security Technical Implementation Guide	2021-11-23

Details

Check Text ( C-17324r646930_chk )
The root role is required. Determine if user passwords are properly configured to be changed every 60 days. Determine the OS version you are currently securing. # uname -v For Solaris 11, 11.1, 11.2, and 11.3: # logins -ox \|awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && ( $11 > “56" \|\| $11 < “1" )) { print }' If output is returned and the listed account is accessed via direct logon, this is a finding. Check that /etc/default/password is configured to enforce password expiration every 8 weeks or less. # grep "^MAXWEEKS=" /etc/default/passwd If the command does not report MAXWEEKS=8 or less, this is a finding. For Solaris 11.4 or newer: # logins -ox \|awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && ($11 > "60"\|\| $11 < "1")) { print }' If output is returned and the listed account is accessed via direct logon, this is a finding. Check that /etc/default/password is configured to enforce password expiration every 60 days or less. Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable. # grep "^MAXDAYS=" /etc/default/passwd If the command does not report MAXDAYS=60 or less, this is a finding. # grep "^MAXWEEKS=" /etc/default/passwd If output is returned, this is a finding.

Check Text ( C-17324r646930_chk )

The root role is required.

Determine if user passwords are properly configured to be changed every 60 days.

Determine the OS version you are currently securing.
# uname -v

For Solaris 11, 11.1, 11.2, and 11.3:

# logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && ( $11 > “56" || $11 < “1" )) { print }'

If output is returned and the listed account is accessed via direct logon, this is a finding.

Check that /etc/default/password is configured to enforce password expiration every 8 weeks or less.

# grep "^MAXWEEKS=" /etc/default/passwd

If the command does not report MAXWEEKS=8 or less, this is a finding.

For Solaris 11.4 or newer:

# logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && ($11 > "60"|| $11 < "1")) { print }'

If output is returned and the listed account is accessed via direct logon, this is a finding.

Check that /etc/default/password is configured to enforce password expiration every 60 days or less.
Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable.

# grep "^MAXDAYS=" /etc/default/passwd

If the command does not report MAXDAYS=60 or less, this is a finding.

# grep "^MAXWEEKS=" /etc/default/passwd

If output is returned, this is a finding.

Fix Text (F-17322r622336_fix)
The User Security role is required. For Solaris 11, 11.1, 11.2, and 11.3: Change each username to enforce 56 day password changes. # pfexec passwd -x 56 [username] # pfedit /etc/default/passwd Search for MAXWEEKS. Change the line to read: MAXWEEKS=8 For Solaris 11.4 or newer: Change each username to enforce 60 day password changes. # pfexec passwd -x 60 [username] # pfedit /etc/default/passwd Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable. Search for MAXDAYS. Change the line to read: MAXDAYS=60 Search for MAXWEEKS. Change the line to read: #MAXWEEKS=

Fix Text (F-17322r622336_fix)

The User Security role is required.

For Solaris 11, 11.1, 11.2, and 11.3:

Change each username to enforce 56 day password changes.

# pfexec passwd -x 56 [username]

# pfedit /etc/default/passwd

Search for MAXWEEKS. Change the line to read:

MAXWEEKS=8

For Solaris 11.4 or newer:

Change each username to enforce 60 day password changes.

# pfexec passwd -x 60 [username]

# pfedit /etc/default/passwd
Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable.

Search for MAXDAYS. Change the line to read:

MAXDAYS=60

Search for MAXWEEKS. Change the line to read:

#MAXWEEKS=