4.4.2.3.1 Ensure pam_pwhistory module is enabled

Information

The pam_history.so module saves the last passwords for each user in order to force password change history and keep the user from alternating between the same password too frequently.

Requiring users not to reuse their passwords make it less likely that an attacker will be able to guess the password or use a compromised password.

Solution

Edit the files /etc/pam.d/system-auth and /etc/pam.d/password-auth:

Add the following line to the password section:

password required pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok

Example password section:

password requisite pam_pwquality.so try_first_pass local_users_only retry=3
password required pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
password required pam_deny.so

Note: the use_authtok option should exist on all password lines except the first entry and the pam_deny.so line

See Also

https://workbench.cisecurity.org/benchmarks/15963

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: 58999ee655aacf7443e2d5eb56c1a58ec4fe51a56028af282cd4ee49c3044138