3.1.2.7 minage

Information

Defines the minimum number of weeks before a password can be changed.

Rationale:

The minage attribute prohibits users changing their password until a set number of weeks have passed.

Impact:

The AIX community prefers to rely on the AIX attribute histexpire rather than a historical minage value.

Historically, the minage attribute has been used to prevent a user from write a script to spool through histsize passwords, and then return to the same password as before. The attribute histexpire overrides histsize. Therefore, there is no need to force a user to request assistance from system administrators in order to reset a poorly chosen password, or in the case of special accounts that policy states passwords are meant for 'one time use'.

Again, since AIX has a different way to prevent scripted password re-cycling, the need for minage is not longer warranted.

Solution

In/etc/security/user, set the default user stanza minage attribute to 1:

chsec -f /etc/security/user -s default -a minage=0

This means that a user can change their password at any time.

Default Value:

minage=0

See Also

https://workbench.cisecurity.org/files/3525

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: b7cc92024434e741818145a82b3c237179268a7e2ec8c079a57af9a23e8e369f