4.4.3.3.3 Ensure pam_pwhistory includes use_authtok

Information

use_authtok - When password changing enforce the module to set the new password to the one provided by a previously stacked password module

use_authtok allows multiple pam modules to confirm a new password before it is accepted.

Solution

Run the following script to verify the active authselect profile includes use_authtok on the password stack's pam_pwhistory.so module lines:

#!/usr/bin/env bash

{
l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
if grep -Pq -- '^custom/' <<< "$l_pam_profile"; then
l_pam_profile_path="/etc/authselect/$l_pam_profile"
else
l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
fi
grep -P -- '^h*passwordh+(requisite|required|sufficient)h+pam_pwhistory.soh+([^#
r]+h+)?use_authtokb' "$l_pam_profile_path"/{password,system}-auth
}

Example output:

/etc/authselect/custom/custom-profile/password-auth:password required pam_pwhistory.so use_authtok

/etc/authselect/custom/custom-profile/system-auth:password required pam_pwhistory.so use_authtok

- IF - the output does not include use_authtok run the following script:

#!/usr/bin/env bash

{
l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
if grep -Pq -- '^custom/' <<< "$l_pam_profile"; then
l_pam_profile_path="/etc/authselect/$l_pam_profile"
else
l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
fi
for l_authselect_file in "$l_pam_profile_path"/password-auth "$l_pam_profile_path"/system-auth; do
if grep -Pq '^h*passwordh+([^#
r]+)h+pam_pwhistory.soh+([^#
r]+h+)?use_authtokb' "$l_authselect_file"; then
echo "- \"use_authtok\" is already set"
else
echo "- \"use_authtok\" is not set. Updating template"
sed -ri 's/(^s*passwords+(requisite|required|sufficient)s+pam_pwhistory.sos+.*)$/&amp; use_authtok/g' "$l_authselect_file"
fi
done
}

Run the following command to update the password-auth and system-auth files in /etc/pam.d to include the use_authtok argument on the password stack's pam_pwhistory.so lines:

# authselect apply-changes

See Also

https://workbench.cisecurity.org/benchmarks/15288

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4

Plugin: Unix

Control ID: c019f423a08d6d25cc56e2bfe0096276381d2f09b6db57f769e5397ddc13ac97