The operating system must enforce minimum password lifetime restrictions.

An XCCDF Rule

Description

Passwords need to be changed at specific policy-based intervals; however, if the information system or application allows the user to immediately and continually change their password, then the password could be repeatedly changed in a short period of time, defeating the organization's policy regarding password reuse. Solaris 11.4 introduced new password security features that allow for a more granular approach to password duration parameters. The introduction of MAXDAYS, MINDAYS, and WARNDAYS allow the /etc/default/passwd configuration file to enforce a minimum password lifetime of a single day.

ID: SV-216323r1016269_rule
Version: SOL-11.1-040030
Severity: Medium
References: CCI-000198 CCI-004066
Updated: about 2 months ago

Remediation Templates

The root role is required.

For Solaris 11, 11.1, 11.2, and 11.3:

# pfedit /etc/default/passwd file.
Locate the line containing:

MINWEEKS

Change the line to read: 

MINWEEKS=1

Set the per-user minimum password change times by using the following command on each user account. 

# passwd -n [number of days] [accountname]

For Solaris 11.4 or newer:

# pfedit /etc/default/passwd file.
Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable.

Search for MINDAYS. Change the line to read: 

MINDAYS=1

Search for MINWEEKS. Change the line to read: 

#MINWEEKS=

Set the per-user minimum password change times by using the following command on each user account. 

# passwd -n [number of days] [accountname]

The operating system must enforce minimum password lifetime restrictions.

Description

Remediation Templates

A Manual Procedure