STIGQter STIGQter: STIG Summary: Solaris 11 X86 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

User accounts must be locked after 35 days of inactivity.

DISA Rule

SV-216109r603268_rule

Vulnerability Number

V-216109

Group Title

SRG-OS-000003

Rule Version

SOL-11.1-040280

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

The root role is required.

Perform the following to implement the recommended state:

# useradd -D -f 35

To set this policy on a user account, use the command(s):

# usermod -f 35 [username]

To set this policy on a role account, use the command(s):

# rolemod -f 35 [name]

Check Contents

Determine whether the 35-day inactivity lock is configured properly.

# useradd -D | xargs -n 1 | grep inactive |\
awk -F= '{ print $2 }'

If the command returns a result other than 35, this is a finding.

The root role is required for the "logins" command.

For each configured user name and role name on the system, determine whether a 35-day inactivity period is configured. Replace [username] with an actual user name or role name.

# logins -axo -l [username] | awk -F: '{ print $13 }'


If these commands provide output other than 35, this is a finding.

Vulnerability Number

V-216109

Documentable

False

Rule Version

SOL-11.1-040280

Severity Override Guidance

Determine whether the 35-day inactivity lock is configured properly.

# useradd -D | xargs -n 1 | grep inactive |\
awk -F= '{ print $2 }'

If the command returns a result other than 35, this is a finding.

The root role is required for the "logins" command.

For each configured user name and role name on the system, determine whether a 35-day inactivity period is configured. Replace [username] with an actual user name or role name.

# logins -axo -l [username] | awk -F: '{ print $13 }'


If these commands provide output other than 35, this is a finding.

Check Content Reference

M

Target Key

4021

Comments