Check: GEN000700
SUSE Linux Enterprise Server v11 for System z STIG:
GEN000700
(in versions v1 r12 through v1 r9)
Title
User passwords must be changed at least every 60 days. (Cat II impact)
Discussion
Limiting the lifespan of authenticators limits the period of time an unauthorized user has access to the system while using compromised credentials and reduces the period of time available for password-guessing attacks to run against a single password.
Check Content
Check the max days field (the 5th field) of /etc/shadow. # more /etc/shadow If the max days field is equal to 0 or greater than 60 for any user, this is a finding.
Fix Text
Set the max days field to 60 for all user accounts. # passwd -x 60 <user>
Additional Identifiers
Rule ID: SV-44879r1_rule
Vulnerability ID: V-11976
Group Title: GEN000700
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000180 |
The organization manages information system authenticators by establishing maximum lifetime restrictions for authenticators. |
Controls
Number | Title |
---|---|
IA-5 |
Authenticator Management |