The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-71933	RHEL-07-010270	SV-86557r3_rule		Medium

Description
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.

STIG	Date
Red Hat Enterprise Linux 7 Security Technical Implementation Guide	2018-11-28

Details

Check Text ( C-72165r2_chk )
Verify the operating system prohibits password reuse for a minimum of five generations. Check for the value of the "remember" argument in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" with the following command: # grep -i remember /etc/pam.d/system-auth /etc/pam.d/password-auth password requisite pam_pwhistory.so use_authtok remember=5 retry=3 If the line containing the "pam_pwhistory.so" line does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.

Check Text ( C-72165r2_chk )

Verify the operating system prohibits password reuse for a minimum of five generations.

Check for the value of the "remember" argument in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" with the following command:

# grep -i remember /etc/pam.d/system-auth /etc/pam.d/password-auth

password requisite pam_pwhistory.so use_authtok remember=5 retry=3

If the line containing the "pam_pwhistory.so" line does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.

Fix Text (F-78285r3_fix)
Configure the operating system to prohibit password reuse for a minimum of five generations. Add the following line in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" (or modify the line to have the required value): password requisite pam_pwhistory.so use_authtok remember=5 retry=3 Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.

Fix Text (F-78285r3_fix)

Configure the operating system to prohibit password reuse for a minimum of five generations.

Add the following line in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" (or modify the line to have the required value):

password requisite pam_pwhistory.so use_authtok remember=5 retry=3

Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.