4.4.2.3.2 Ensure password history remember is configured

Information

The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords.

- remember=<N> - <N> is the number of old passwords to remember

Requiring users not to reuse their passwords make it less likely that an attacker will be able to guess the password or use a compromised password.

Note: These change only apply to accounts configured on the local system.

Solution

Edit the files /etc/pam.d/system-auth and /etc/pam.d/password-auth:

Add the following line to the password section:

password required pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok

Example password section:

password requisite pam_pwquality.so try_first_pass local_users_only retry=3
password required pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
password required pam_deny.so

Note: the use_authtok option should exist on all password lines except the first entry and the pam_deny.so line

See Also

https://workbench.cisecurity.org/benchmarks/15962

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: e9cea766e804e5886f9d30ba67a3d99ae1715fd0d007891eb60565b037066f6e