User passwords must be changed at least every 60 days.

An XCCDF Rule

Description

<VulnDiscussion>Limiting the lifespan of authenticators limits the period of time an unauthorized user has access to the system while using compromised credentials and reduces the period of time available for password-guessing attacks to run against a single password. Solaris 11.4 introduced new password security features that allow for a more granular approach to password duration parameters. The introduction of MAXDAYS, MINDAYS, and WARNDAYS allow the /etc/default/passwd configuration file to enforce a password change every 60 days.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-216321r986393_rule
Severity: Medium
References: CCI-004066
Updated: 18 days ago

The User Security role is required.

For Solaris 11, 11.1, 11.2, and 11.3:

Change each username to enforce 56 day password changes.
# pfexec passwd -x 56 [username]

# pfedit /etc/default/passwd 

Search for MAXWEEKS. Change the line to read:

MAXWEEKS=8

For Solaris 11.4 or newer:

Change each username to enforce 60 day password changes.

# pfexec passwd -x 60 [username]

# pfedit /etc/default/passwd 
Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable.

Search for MAXDAYS. Change the line to read:

MAXDAYS=60

Search for MAXWEEKS. Change the line to read:

#MAXWEEKS=

User passwords must be changed at least every 60 days.

Description

Remediation - Manual Procedure