Check: GEN000700
HP-UX 11.31 STIG:
GEN000700
(in versions v1 r19 through v1 r13)
Title
User passwords must be changed at least every 60 days. (Cat II impact)
Discussion
Limiting the lifespan of authenticators limits the period of time an unauthorized user has access to the system while using compromised credentials and reduces the period of time available for password guessing attacks to run against a single password.
Check Content
For Trusted Mode: Check the exptm field for each user, or for all accounts: # getprpw -r -m exptm <USER> # logins -o -x | awk -F: '{print $1” “$11}' If the exptm attribute is set equal to -1, 0, or greater than 60 for any user, this is a finding. For SMSE: Check the PASSWORD_MAXDAYS setting. The command and an example output is seen directly below: # egrep “PASSWORD_MAXDAYS|PASSWORD_WARNDAYS” /etc/default/security /var/adm/userdb/* Example output from the above command, with the correctly assigned attribute values. Note that PASSWORD_MAXDAYS may deviate from 60. Illegal values include 0 (no warning). PASSWORD_MAXDAYS attribute exceptions that must not be used are 1-7 (values less than or equal to the required PASSWORD_WARNDAYS attribute setting): PASSWORD_MAXDAYS=60 PASSWORD_WARNDAYS=7 If the above attributes are either missing or not set per the above attribute values (exceptions noted above), this is a finding.
Fix Text
For Trusted Mode: Set the password maximum days field to 60 for all user accounts. # passwd -x 60 <user> For SMSE: Note: There may be additional package/bundle updates that must be installed to support attributes in the /etc/default/security file. Use the SAM/SMH interface (/etc/default/security file) and/or the userdbset command (/var/adm/userdb/* files) to update the PASSWORD_MAXDAYS attribute. See the below example: PASSWORD_MAXDAYS=60 PASSWORD_WARNDAYS=7 Note: Never use a text editor to modify any /var/adm/userdb database file. The database contains checksums and other binary data, and editors (vi included) do not follow the file locking conventions that are used to control access to the database. If manually editing the /etc/default/security file, save any change(s) before exiting the editor.
Additional Identifiers
Rule ID: SV-38247r3_rule
Vulnerability ID: V-11976
Group Title: GEN000700
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000180 |
The organization manages information system authenticators by establishing maximum lifetime restrictions for authenticators. |
Controls
Number | Title |
---|---|
IA-5 |
Authenticator Management |