GEN000800 - The system must prohibit the reuse of passwords within five iterations - '/etc/security/opasswd must exist'


If a user, or root, used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it would provide a potential intruder with the opportunity to keep guessing at one user's password until it was guessed correctly.


Create the password history file.
# touch /etc/security/opasswd
# chown root:root /etc/security/opasswd
# chmod 0600 /etc/security/opasswd

Enable password history.
If /etc/pam.d/system-auth references /etc/pam.d/system-auth-ac refer to the man page for system-auth-ac for a description of how to add options not configurable with authconfig. Edit /etc/pam.d/system-auth to include the remember option on any 'password pam_unix' or 'password pam_pwhistory' lines set to at least 5.

See Also

Item Details


References: 800-53|IA-5(1)(e), CAT|II, CCI|CCI-000200, Rule-ID|SV-218242r603259_rule, STIG-ID|GEN000800, STIG-Legacy|SV-64321, STIG-Legacy|V-4084, Vuln-ID|V-218242

Plugin: Unix

Control ID: 14e651466a6b4d2cd48a73264edaee5e623ab14b0e3aaee5993bc87e5db7005c