Detections
Analytics
SOL-11.1-040030 - The operating system must enforce minimum password lifetime restrictions.
Information
Passwords need to be changed at specific policy-based intervals; however, if the information system or application allows the user to immediately and continually change their password, then the password could be repeatedly changed in a short period of time, defeating the organization's policy regarding password reuse.Solaris 11.4 introduced new password security features that allow for a more granular approach to password duration parameters. The introduction of MAXDAYS, MINDAYS, and WARNDAYS allow the /etc/default/passwd configuration file to enforce a minimum password lifetime of a single day.
Solution
The root role is required.For Solaris 11, 11.1, 11.2, and 11.3:
# pfedit /etc/default/passwd file.
Locate the line containing:
MINWEEKS
Change the line to read:
MINWEEKS=1
Set the per-user minimum password change times by using the following command on each user account.
# passwd -n [number of days] [accountname]
For Solaris 11.4 or newer:
# pfedit /etc/default/passwd file.
Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable.
Search for MINDAYS. Change the line to read:
MINDAYS=1
Search for MINWEEKS. Change the line to read:
#MINWEEKS=
Set the per-user minimum password change times by using the following command on each user account.
# passwd -n [number of days] [accountname]
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SOL_11_x86_V3R4_STIG.zip
Item Details
Audit Name: DISA Solaris 11 X86 STIG v3r4
Category: IDENTIFICATION AND AUTHENTICATION
References: 800-53|IA-5(1)(d), CAT|II, CCI|CCI-000198, CCI|CCI-004066, Rule-ID|SV-216088r1016284_rule, STIG-ID|SOL-11.1-040030, STIG-Legacy|SV-60825, STIG-Legacy|V-47953, Vuln-ID|V-216088
Plugin: Unix
Control ID: 21d0a7c5af6cfe4ccf9dd1139a59970f409558933b25eba46e90fab420ea3ef5