User passwords must be changed at least every 56 days.

From Solaris 11 SPARC Security Technical Implementation Guide

Part of SRG-OS-000076

Associated with: CCI-000199

SV-60815r2_rule User passwords must be changed at least every 56 days.

Vulnerability discussion

Limiting the lifespan of authenticators limits the period of time an unauthorized user has access to the system while using compromised credentials and reduces the period of time available for password-guessing attacks to run against a single password.

Check content

The root role is required. Determine if user passwords are properly configured to be changed every 56 days. # logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && $11 != "56" ) { print }' If output is returned and the listed account is accessed via direct logon, this is a finding. Check that /etc/default/password is configured to enforce password expiration every 56 days or less. # grep "^MAXWEEKS=" /etc/default/passwd If the command does not report MAXWEEKS=8 or less, this is a finding.

Fix text

The User Security role is required. Change each username to enforce 56 day password changes. # pfexec passwd -x 56 [username] # pfedit /etc/default/passwd Search for MAXWEEKS. Change the line to read: MAXWEEKS=8

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer