Title

During a password change, the system must determine if password aging attributes are inherited from the /etc/default/security file attributes when no password aging is specified in the shadow file for local users. (Cat II impact)

Discussion

Password aging attributes are stored in /etc/default/security and /etc/shadow. Anytime a password aging policy is changed, policy requirements are updated in /etc/default/security. If the system is allowed to override or ignore updates made to /etc/default/security, deprecated password aging policies will remain intact and never enforce newer requirements.

Check Content

For Trusted Mode: If the system is operating in Trusted Mode, this check is not applicable. For SMSE: Check the OVERRIDE_SYSDEF_PWAGE attribute setting. # grep OVERRIDE_SYSDEF_PWAGE /etc/default/security If the OVERRIDE_SYSDEF_PWAGE attribute is missing or not set to 0, this is a finding.

Fix Text

If the system is operating in Trusted Mode, no fix is required. For SMSE: Note: There may be additional package/bundle updates that must be installed to support attributes in the /etc/default/security file. Use the SAM/SMH interface (/etc/default/security file) to update the OVERRIDE_SYSDEF_PWAGE attribute. See the below example: OVERRIDE_SYSDEF_PWAGE=0 Note: If manually editing the /etc/default/security file, save any change(s) before exiting the editor.

Additional Identifiers

Rule ID: SV-52481r1_rule

Vulnerability ID: V-40492

Group Title: GEN000000-HPUX0450

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.