5.3.12 Ensure password prohibited reuse is at a minumum '5'

Information

The operating system must be configured so that passwords are prohibited from reuse for a minimum of 5 generations.

Rationale:

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.

Solution

To configure the operating system to prohibit password reuse for a minimum of 5 generations.
Add the following line in /etc/pam.d/system-auth and /etc/pam.d/password-auth (or modify the line to have the required value):
Example: vim /etc/pam.d/system-auth
Add, uncomment or update the following line:

password requisite pam_pwhistory.so use_authtok remember=5 retry=3

Note: Manual changes to the listed files may be overwritten by the authconfig program. The authconfig program should not be used to update the configurations listed in this requirement.

Notes:

This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019



Vul ID: V-71933

Rule ID: SV-86557r3_rule

STIG ID: RHEL-07-010270

Severity: CAT II

See Also

https://workbench.cisecurity.org/files/2688

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(e)

Plugin: Unix

Control ID: 6bfc81aeb30bcd82b10dd05c9e8047ea3b4fd62d78a3fd8afc02687397a87ffc