The system must prohibit the reuse of passwords within five iterations.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-4084 | GEN000800 | SV-44884r1_rule | Medium |
| Description |
|---|
| If a user, or root, used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it would provide a potential intruder with the opportunity to keep guessing at one user's password until it was guessed correctly. |
| STIG | Date |
|---|---|
| SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide | 2018-09-19 |
Details
| Check Text ( C-42338r1_chk ) |
|---|
| # pam-config -q --pwhistory If the result is not’ password: remember=5’ or higher, then this is a finding. # ls /etc/security/opasswd If /etc/security/opasswd does not exist, then this is a finding. # grep password /etc/pam.d/common-password| grep pam_pwhistory.so | grep remember If the "remember" option in /etc/pam.d/common-password is not 5 or greater, this is a finding. |
| Fix Text (F-38316r1_fix) |
|---|
| Create the password history file. # touch /etc/security/opasswd # chown root:root /etc/security/opasswd # chmod 0600 /etc/security/opasswd Configure pam to use password history. # pam-config -a --pwhistory # pam-config -a --pwhistory-remember=5 |