STIGQter STIGQter: STIG Summary: Solaris 11 X86 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The operating system must enforce minimum password lifetime restrictions.

DISA Rule

SV-216088r603876_rule

Vulnerability Number

V-216088

Group Title

SRG-OS-000075

Rule Version

SOL-11.1-040030

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

The root role is required.

For Solaris 11, 11.1, 11.2, and 11.3:

# pfedit /etc/default/passwd file.

Locate the line containing:

MINWEEKS

Change the line to read:

MINWEEKS=1

Set the per-user minimum password change times by using the following command on each user account.

# passwd -n [number of days] [accountname]

For Solaris 11.4 or newer:

# pfedit /etc/default/passwd file.
Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable.

Search for MINDAYS. Change the line to read:

MINDAYS=1

Search for MINWEEKS. Change the line to read:

#MINWEEKS=

Set the per-user minimum password change times by using the following command on each user account.

# passwd -n [number of days] [accountname]

Check Contents

The root role is required.

Check whether the minimum time period between password changes for each user account is 1 day or greater.

Determine the OS version you are currently securing.
# uname -v

For Solaris 11, 11.1, 11.2, and 11.3:

# logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && $10 < "1" ) { print }'

If output is returned and the listed account is accessed via direct logon, this is a finding.

Check that /etc/default/password is configured to minimum password change time of 1 week.

# grep "^MINWEEKS=" /etc/default/passwd

If the command does not report MINWEEKS=1 or more, this is a finding.

For Solaris 11.4 or newer:

# logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && $10 < "1" ) { print }'

If output is returned and the listed account is accessed via direct logon, this is a finding.

Check that /etc/default/password is configured to minimum password change time of 1 day.
Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable.

# grep "^MINDAYS=" /etc/default/passwd

If the command does not report MINDAYS=1 or more, this is a finding.

# grep "^MINWEEKS=" /etc/default/passwd

If output is returned, this is a finding.

Vulnerability Number

V-216088

Documentable

False

Rule Version

SOL-11.1-040030

Severity Override Guidance

The root role is required.

Check whether the minimum time period between password changes for each user account is 1 day or greater.

Determine the OS version you are currently securing.
# uname -v

For Solaris 11, 11.1, 11.2, and 11.3:

# logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && $10 < "1" ) { print }'

If output is returned and the listed account is accessed via direct logon, this is a finding.

Check that /etc/default/password is configured to minimum password change time of 1 week.

# grep "^MINWEEKS=" /etc/default/passwd

If the command does not report MINWEEKS=1 or more, this is a finding.

For Solaris 11.4 or newer:

# logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && $10 < "1" ) { print }'

If output is returned and the listed account is accessed via direct logon, this is a finding.

Check that /etc/default/password is configured to minimum password change time of 1 day.
Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable.

# grep "^MINDAYS=" /etc/default/passwd

If the command does not report MINDAYS=1 or more, this is a finding.

# grep "^MINWEEKS=" /etc/default/passwd

If output is returned, this is a finding.

Check Content Reference

M

Target Key

4021

Comments