Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The system must prohibit the reuse of passwords within five iterations.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-4084 | GEN000800 | SV-37323r2_rule | IAIA-1 IAIA-2 | Medium |
| Description |
|---|
| If a user, or root, used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it would provide a potential intruder with the opportunity to keep guessing at one user's password until it was guessed correctly. |
| STIG | Date |
|---|---|
| Red Hat Enterprise Linux 5 Security Technical Implementation Guide | 2014-01-09 |
Details
| Check Text ( C-36015r2_chk ) |
|---|
| # ls /etc/security/opasswd If /etc/security/opasswd does not exist, then this is a finding. # grep password /etc/pam.d/system-auth| egrep '(pam_pwhistory.so|pam_unix.so)' | grep remember If the "remember" option in /etc/pam.d/system-auth is not 5 or greater, this is a finding. Check for system-auth-ac inclusions. # grep -c system-auth-ac /etc/pam.d/* If the system-auth-ac file is included anywhere # more /etc/pam.d/system-auth-ac | grep password | egrep '(pam_pwhistory.so|pam_unix.so)' | grep remember If in /etc/pam.d/system-auth-ac is referenced by another file and the "remember" option is not set to 5 or greater this is a finding. |
| Fix Text (F-31265r2_fix) |
|---|
| Create the password history file. # touch /etc/security/opasswd # chown root:root /etc/security/opasswd # chmod 0600 /etc/security/opasswd Enable password history. If /etc/pam.d/system-auth references /etc/pam.d/system-auth-ac refer to the man page for system-auth-ac for a description of how to add options not configurable with authconfig. Edit /etc/pam.d/system-auth to include the remember option on any "password pam_unix" or "password pam_history" lines set to at least 5. |