STIGQter: STIG Summary: Solaris 11 SPARC Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Solaris 11 SPARC Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:SV-216323r603863_rule
V-216323
SRG-OS-000075
SOL-11.1-040030
CAT II
10
The root role is required.
For Solaris 11, 11.1, 11.2, and 11.3:
# pfedit /etc/default/passwd file.
Locate the line containing:
MINWEEKS
Change the line to read:
MINWEEKS=1
Set the per-user minimum password change times by using the following command on each user account.
# passwd -n [number of days] [accountname]
For Solaris 11.4 or newer:
# pfedit /etc/default/passwd file.
Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable.
Search for MINDAYS. Change the line to read:
MINDAYS=1
Search for MINWEEKS. Change the line to read:
#MINWEEKS=
Set the per-user minimum password change times by using the following command on each user account.
# passwd -n [number of days] [accountname]
The root role is required.
Check whether the minimum time period between password changes for each user account is 1 day or greater.
Determine the OS version you are currently securing.
# uname -v
For Solaris 11, 11.1, 11.2, and 11.3:
# logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && $10 < "1" ) { print }'
If output is returned and the listed account is accessed via direct logon, this is a finding.
Check that /etc/default/password is configured to minimum password change time of 1 week.
# grep "^MINWEEKS=" /etc/default/passwd
If the command does not report MINWEEKS=1 or more, this is a finding.
For Solaris 11.4 or newer:
# logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && $10 < "1" ) { print }'
If output is returned and the listed account is accessed via direct logon, this is a finding.
Check that /etc/default/password is configured to minimum password change time of 1 day.
Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable.
# grep "^MINDAYS=" /etc/default/passwd
If the command does not report MINDAYS=1 or more, this is a finding.
# grep "^MINWEEKS=" /etc/default/passwd
If output is returned, this is a finding.
V-216323
False
SOL-11.1-040030
The root role is required.
Check whether the minimum time period between password changes for each user account is 1 day or greater.
Determine the OS version you are currently securing.
# uname -v
For Solaris 11, 11.1, 11.2, and 11.3:
# logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && $10 < "1" ) { print }'
If output is returned and the listed account is accessed via direct logon, this is a finding.
Check that /etc/default/password is configured to minimum password change time of 1 week.
# grep "^MINWEEKS=" /etc/default/passwd
If the command does not report MINWEEKS=1 or more, this is a finding.
For Solaris 11.4 or newer:
# logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && $10 < "1" ) { print }'
If output is returned and the listed account is accessed via direct logon, this is a finding.
Check that /etc/default/password is configured to minimum password change time of 1 day.
Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable.
# grep "^MINDAYS=" /etc/default/passwd
If the command does not report MINDAYS=1 or more, this is a finding.
# grep "^MINWEEKS=" /etc/default/passwd
If output is returned, this is a finding.
M
4022