Detections
Analytics
GEN000800 - The system must prohibit the reuse of passwords within five iterations - '/etc/pam.d/system-auth'
Information
If a user, or root, used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it would provide a potential intruder with the opportunity to keep guessing at one user's password until it was guessed correctly.Solution
Create the password history file.# touch /etc/security/opasswd
# chown root:root /etc/security/opasswd
# chmod 0600 /etc/security/opasswd
Enable password history.
If /etc/pam.d/system-auth references /etc/pam.d/system-auth-ac refer to the man page for system-auth-ac for a description of how to add options not configurable with authconfig. Edit /etc/pam.d/system-auth to include the remember option on any 'password pam_unix' or 'password pam_history' lines set to at least 5.
See Also
http://iasecontent.disa.mil/stigs/zip/U_RedHat_5_V1R18_STIG.zip
Item Details
Category: IDENTIFICATION AND AUTHENTICATION
References: 800-53|IA-5(1)(e), CAT|II, CCE|CCE-14939-3, CCI|CCI-000200, Group-ID|V-4084, Rule-ID|SV-37323r3_rule, STIG-ID|GEN000800, Vuln-ID|V-4084
Plugin: Unix
Control ID: e21e3b5fd7662402c57e6866ef9491d6533a28e6f3da7d3ff380a105da469775