Detections
Analytics

5.3.3.3.1 Ensure password history remember is configured

Information

The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords. The number of passwords remembered is set via the remember argument value in set for the pam_pwhistory module.

The pwhistory.conf provides a way to configure the default settings for saving the last passwords for each user. This file is read by the pam_pwhistory module and is the preferred method over configuring pam_pwhistory directly.

 - remember=<N> - The last <N> passwords for each user are saved. The default is 10 . Value of 0 makes the module to keep the existing contents of the opasswd file unchanged.

Requiring users not to reuse their passwords make it less likely that an attacker will be able to guess the password or use a compromised password.

Note: These changes only apply to accounts configured on the local system.

Solution

Note : The options specified on the pwhistory.so module command line override the values from the pwhistory.conf configuration file. The pwhistory.conf file is the preferred method over configuring pam_pwhistory directly.

Edit or add the remember option in /etc/security/pwhistory.conf setting it to 24 or more depending on local site policy:

remember = 24

- IF - The pam_pwhistory profile in /usr/share/pam-configs/ has been used to configure pwhistory . Run the following script to remove the remember= argument from the pam_pwhistory.so line in the Password section:

#!/usr/bin/env bash

{
profiles=$(grep -Rl \"pam_pwhistory.so\" /usr/share/pam-configs/ || true)
for profile in $profiles; do
 if grep -Pq 'remember\s*=\s*\d+' \"$profile\"; then
 sed -Ei 's/remember\s*=\s*[0-9]+//g' \"$profile\"
 sed -Ei 's/[[:space:]]+/ /g' \"$profile\"
 echo \"Updated pam profile: $profile\"
 pam-auth-update --package < /dev/null
 fi
done
}

See Also

https://workbench.cisecurity.org/benchmarks/24932

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: e63c78e1b96577b3e920822e92e833f2ce34cb65064d2f70d591c2946116fa52