5.3.2.4 Ensure pam_pwhistory module is enabled

Information

The pam_pwhistory.so module saves the last passwords for each user in order to force password change history and keep the user from alternating between the same password too frequently.

This module does not work together with kerberos. In general, it does not make much sense to use this module in conjunction with NIS or LDAP since the old passwords are stored on the local machine and are not available on another machine for password history checking.

Use of a unique, complex passwords helps to increase the time and resources required to compromise the password.

Solution

Run the following script to verify the pam_pwquality.so line exists in a pam-auth-update profile:

# grep -P -- 'bpam_pwhistory.sob' /usr/share/pam-configs/*

Output should be similar to:

/usr/share/pam-configs/pwhistory: requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok

- IF - similar output is returned:

Run the following command to update /etc/pam.d/common-password with the returned profile:

# pam-auth-update --enable {PROFILE_NAME}

Example:

# pam-auth-update pwhistory

- IF - similar output is NOT returned:

Create a pwhistory profile in /usr/share/pam-configs/ with the following lines:

Name: pwhistory password history checking
Default: yes
Priority: 1024
Password-Type: Primary
Password: requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok

Example Script:

#!/usr/bin/env bash

{
arr=('Name: pwhistory password history checking' 'Default: yes' 'Priority: 1024' 'Password-Type: Primary' 'Password:' ' requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok')
printf '%s
' "${arr[@]}" > /usr/share/pam-configs/pwhistory
}

Run the following command to update /etc/pam.d/common-password with the pwhistory profile:

# pam-auth-update --enable pwhistory

Note:

- The name used for the file must be used in the pam-auth-update --enable command
- The Name: line should be easily recognizable and understood
- The Priority: Line is important as it effects the order of the lines in the /etc/pam.d/ files
- If a site specific custom profile is being used in your environment to configure PAM that includes the configuration for the pam_pwhistory module, enable that module instead

See Also

https://workbench.cisecurity.org/benchmarks/18960

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: 7ff65653cc92188221d7bdd471ccd63dbdd723ca5ebe20341898f4c6af86a99b