GEN000800 - The system must prohibit the reuse of passwords within five iterations - '/etc/security/opasswd'

Information

If a user, or root, used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it would provide a potential intruder with the opportunity to keep guessing at one user's password until it was guessed correctly.

Solution

Create the password history file.
# touch /etc/security/opasswd
# chown root:root /etc/security/opasswd
# chmod 0600 /etc/security/opasswd

Enable password history.
If /etc/pam.d/system-auth references /etc/pam.d/system-auth-ac refer to the man page for system-auth-ac for a description of how to add options not configurable with authconfig. Edit /etc/pam.d/system-auth to include the remember option on any 'password pam_unix' or 'password pam_history' lines set to at least 5.

See Also

http://iasecontent.disa.mil/stigs/zip/U_RedHat_5_V1R18_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(e), CAT|II, CCE|CCE-14939-3, CCI|CCI-000200, Group-ID|V-4084, Rule-ID|SV-37323r3_rule, STIG-ID|GEN000800, Vuln-ID|V-4084

Plugin: Unix

Control ID: e21e3b5fd7662402c57e6866ef9491d6533a28e6f3da7d3ff380a105da469775