SV-216321r646926_rule
V-216321
SRG-OS-000076
SOL-11.1-040010
CAT II
10
The User Security role is required.
For Solaris 11, 11.1, 11.2, and 11.3:
Change each username to enforce 56 day password changes.
# pfexec passwd -x 56 [username]
# pfedit /etc/default/passwd
Search for MAXWEEKS. Change the line to read:
MAXWEEKS=8
For Solaris 11.4 or newer:
Change each username to enforce 60 day password changes.
# pfexec passwd -x 60 [username]
# pfedit /etc/default/passwd
Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable.
Search for MAXDAYS. Change the line to read:
MAXDAYS=60
Search for MAXWEEKS. Change the line to read:
#MAXWEEKS=
The root role is required.
Determine if user passwords are properly configured to be changed every 60 days.
Determine the OS version you are currently securing.
# uname -v
For Solaris 11, 11.1, 11.2, and 11.3:
# logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && ( $11 > “56" || $11 < “1" )) { print }'
If output is returned and the listed account is accessed via direct logon, this is a finding.
Check that /etc/default/password is configured to enforce password expiration every 8 weeks or less.
# grep "^MAXWEEKS=" /etc/default/passwd
If the command does not report MAXWEEKS=8 or less, this is a finding.
For Solaris 11.4 or newer:
# logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && ($11 > "60"|| $11 < "1")) { print }'
If output is returned and the listed account is accessed via direct logon, this is a finding.
Check that /etc/default/password is configured to enforce password expiration every 60 days or less.
Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable.
# grep "^MAXDAYS=" /etc/default/passwd
If the command does not report MAXDAYS=60 or less, this is a finding.
# grep "^MAXWEEKS=" /etc/default/passwd
If output is returned, this is a finding.
V-216321
False
SOL-11.1-040010
The root role is required.
Determine if user passwords are properly configured to be changed every 60 days.
Determine the OS version you are currently securing.
# uname -v
For Solaris 11, 11.1, 11.2, and 11.3:
# logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && ( $11 > “56" || $11 < “1" )) { print }'
If output is returned and the listed account is accessed via direct logon, this is a finding.
Check that /etc/default/password is configured to enforce password expiration every 8 weeks or less.
# grep "^MAXWEEKS=" /etc/default/passwd
If the command does not report MAXWEEKS=8 or less, this is a finding.
For Solaris 11.4 or newer:
# logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && ($11 > "60"|| $11 < "1")) { print }'
If output is returned and the listed account is accessed via direct logon, this is a finding.
Check that /etc/default/password is configured to enforce password expiration every 60 days or less.
Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable.
# grep "^MAXDAYS=" /etc/default/passwd
If the command does not report MAXDAYS=60 or less, this is a finding.
# grep "^MAXWEEKS=" /etc/default/passwd
If output is returned, this is a finding.
M
4022