5.3.3.3.1 Ensure password history remember is configured

Information

The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords. The number of passwords remembered is set via the remember argument value in set for the pam_pwhistory module.

- remember=<N> - <N> is the number of old passwords to remember

Requiring users not to reuse their passwords make it less likely that an attacker will be able to guess the password or use a compromised password.

Note: These change only apply to accounts configured on the local system.

Solution

Run the following command:

# awk '/Password-Type:/{ f = 1;next } /-Type:/{ f = 0 } f {if (/pam_pwhistory.so/) print FILENAME}' /usr/share/pam-configs/*

Edit any returned files and edit or add the remember= argument, with a value of 24 or more, that meets local site policy to the pam_pwhistory line in the Password section:

Example File:

Name: pwhistory password history checking
Default: yes
Priority: 1024
Password-Type: Primary
Password:
requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok # <- **ensure line includes remember=<N>**

Run the following command to update the files in the /etc/pam.d/ directory:

# pam-auth-update --enable <MODIFIED_PROFILE_NAME>

Example:

# pam-auth-update --enable pwhistory

See Also

https://workbench.cisecurity.org/benchmarks/17045

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: 4f2bfbe2de0cbbf2f09f4e2c0f50f513c2d9ead87004802751049a53e6312b5e