STIGQter STIGQter: STIG Summary: Solaris 11 X86 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

User passwords must be changed at least every 60 days.

DISA Rule

SV-216086r646931_rule

Vulnerability Number

V-216086

Group Title

SRG-OS-000076

Rule Version

SOL-11.1-040010

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

The User Security role is required.

For Solaris 11, 11.1, 11.2, and 11.3:

Change each username to enforce 56 day password changes.

# pfexec passwd -x 56 [username]

# pfedit /etc/default/passwd

Search for MAXWEEKS. Change the line to read:

MAXWEEKS=8

For Solaris 11.4 or newer:

Change each username to enforce 60 day password changes.

# pfexec passwd -x 60 [username]

# pfedit /etc/default/passwd
Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable.

Search for MAXDAYS. Change the line to read:

MAXDAYS=60

Search for MAXWEEKS. Change the line to read:

#MAXWEEKS=

Check Contents

The root role is required.

Determine if user passwords are properly configured to be changed every 60 days.

Determine the OS version you are currently securing.
# uname -v

For Solaris 11, 11.1, 11.2, and 11.3:

# logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && ( $11 > “56" || $11 < “1" )) { print }'

If output is returned and the listed account is accessed via direct logon, this is a finding.

Check that /etc/default/password is configured to enforce password expiration every 8 weeks or less.

# grep "^MAXWEEKS=" /etc/default/passwd

If the command does not report MAXWEEKS=8 or less, this is a finding.

For Solaris 11.4 or newer:

# logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && ($11 > "60"|| $11 < "1")) { print }'

If output is returned and the listed account is accessed via direct logon, this is a finding.

Check that /etc/default/password is configured to enforce password expiration every 60 days or less.
Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable.

# grep "^MAXDAYS=" /etc/default/passwd

If the command does not report MAXDAYS=60 or less, this is a finding.

# grep "^MAXWEEKS=" /etc/default/passwd

If output is returned, this is a finding.

Vulnerability Number

V-216086

Documentable

False

Rule Version

SOL-11.1-040010

Severity Override Guidance

The root role is required.

Determine if user passwords are properly configured to be changed every 60 days.

Determine the OS version you are currently securing.
# uname -v

For Solaris 11, 11.1, 11.2, and 11.3:

# logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && ( $11 > “56" || $11 < “1" )) { print }'

If output is returned and the listed account is accessed via direct logon, this is a finding.

Check that /etc/default/password is configured to enforce password expiration every 8 weeks or less.

# grep "^MAXWEEKS=" /etc/default/passwd

If the command does not report MAXWEEKS=8 or less, this is a finding.

For Solaris 11.4 or newer:

# logins -ox |awk -F: '( $1 != "root" && $8 != "LK" && $8 != "NL" && ($11 > "60"|| $11 < "1")) { print }'

If output is returned and the listed account is accessed via direct logon, this is a finding.

Check that /etc/default/password is configured to enforce password expiration every 60 days or less.
Note: It is an error to set both the WEEKS and the DAYS variant for a given MIN/MAX/WARN variable.

# grep "^MAXDAYS=" /etc/default/passwd

If the command does not report MAXDAYS=60 or less, this is a finding.

# grep "^MAXWEEKS=" /etc/default/passwd

If output is returned, this is a finding.

Check Content Reference

M

Target Key

4021

Comments