GEN000800 - The system must prohibit the reuse of passwords within five iterations - '/etc/pam.d/system-auth-ac remember > 5'

Information

If a user, or root, used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it would provide a potential intruder with the opportunity to keep guessing at one user's password until it was guessed correctly.

Solution

Create the password history file.
# touch /etc/security/opasswd
# chown root:root /etc/security/opasswd
# chmod 0600 /etc/security/opasswd

Enable password history.
If /etc/pam.d/system-auth references /etc/pam.d/system-auth-ac refer to the man page for system-auth-ac for a description of how to add options not configurable with authconfig. Edit /etc/pam.d/system-auth to include the remember option on any 'password pam_unix' or 'password pam_history' lines set to at least 5.

See Also

http://iasecontent.disa.mil/stigs/zip/U_RedHat_5_V1R18_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(e), CAT|II, CCE|CCE-14939-3, CCI|CCI-000200, Group-ID|V-4084, Rule-ID|SV-37323r3_rule, STIG-ID|GEN000800, Vuln-ID|V-4084

Plugin: Unix

Control ID: 61b1a024350da3621df6ca6e316bd0376b4c792d1c12601fdd0508ac835a9b83