The operating system must enforce minimum password lifetime restrictions.

An XCCDF Rule

Description

<VulnDiscussion>Passwords need to be changed at specific policy-based intervals; however, if the information system or application allows the user to immediately and continually change their password, then the password could be repeatedly changed in a short period of time, defeating the organization's policy regarding password reuse. Solaris 11.4 introduced new password security features that allow for a more granular approach to password duration parameters. The introduction of MAXDAYS, MINDAYS, and WARNDAYS allow the /etc/default/passwd configuration file to enforce a minimum password lifetime of a single day.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-216088r986427_rule
Severity: Medium
References: CCI-004066
Updated: 17 days ago

The root role is required.

For Solaris 11, 11.1, 11.2, and 11.3:

# pfedit /etc/default/passwd file.
Locate the line containing:

MINWEEKS

Change the line to read: 

MINWEEKS=1

Set the per-user minimum password change times by using the following command on each user account.

# passwd -n [number of days] [accountname]

For Solaris 11.4 or newer:

# pfedit /etc/default/passwd file.
Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable.

Search for MINDAYS. Change the line to read: 

MINDAYS=1

Search for MINWEEKS. Change the line to read: 

#MINWEEKS=

Set the per-user minimum password change times by using the following command on each user account. 

# passwd -n [number of days] [accountname]

The operating system must enforce minimum password lifetime restrictions.

Description

Remediation - Manual Procedure