Check: GEN000000-HPUX0450
HP-UX 11.31 STIG:
GEN000000-HPUX0450
(in versions v1 r19 through v1 r13)
Title
During a password change, the system must determine if password aging attributes are inherited from the /etc/default/security file attributes when no password aging is specified in the shadow file for local users. (Cat II impact)
Discussion
Password aging attributes are stored in /etc/default/security and /etc/shadow. Anytime a password aging policy is changed, policy requirements are updated in /etc/default/security. If the system is allowed to override or ignore updates made to /etc/default/security, deprecated password aging policies will remain intact and never enforce newer requirements.
Check Content
For Trusted Mode: If the system is operating in Trusted Mode, this check is not applicable. For SMSE: Check the OVERRIDE_SYSDEF_PWAGE attribute setting. # grep OVERRIDE_SYSDEF_PWAGE /etc/default/security If the OVERRIDE_SYSDEF_PWAGE attribute is missing or not set to 0, this is a finding.
Fix Text
If the system is operating in Trusted Mode, no fix is required. For SMSE: Note: There may be additional package/bundle updates that must be installed to support attributes in the /etc/default/security file. Use the SAM/SMH interface (/etc/default/security file) to update the OVERRIDE_SYSDEF_PWAGE attribute. See the below example: OVERRIDE_SYSDEF_PWAGE=0 Note: If manually editing the /etc/default/security file, save any change(s) before exiting the editor.
Additional Identifiers
Rule ID: SV-52481r1_rule
Vulnerability ID: V-40492
Group Title: GEN000000-HPUX0450
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |