Detections
Analytics

5.3.3.3.4 Ensure remember is configured on the pam_pwhistory module in /etc/pam.d/password-auth

Information

Passwords must be prohibited from reuse for a minimum of five generations.

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.

RHEL 8 operating system's utilize "pwquality" consecutively as a mechanism to enforce password complexity. This is set in both:/etc/pam.d/password-auth/etc/pam.d/system-auth.

Note that manual changes to the listed files may be overwritten by the "authselect" program.

Solution

Configure the operating system in the password-auth file to prohibit password reuse for a minimum of five generations.

Add the following line in "/etc/pam.d/password-auth" (or modify the line to have the required value):

password requisite pam_pwhistory.so use_authtok remember=5 retry=3

See Also

https://workbench.cisecurity.org/benchmarks/19886

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, 800-53|IA-5(1), CSCv7|16, Rule-ID|SV-230368r902759_rule, Vuln-ID|V-230368

Plugin: Unix

Control ID: 8e4ac8ffe441453a3f2330a21b81875c5234dcc285c7adb11ad4e217dbd8a011