UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The system must prohibit the reuse of passwords within five iterations.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4084 GEN000800 SV-44884r1_rule Medium
Description
If a user, or root, used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it would provide a potential intruder with the opportunity to keep guessing at one user's password until it was guessed correctly.
STIG Date
SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide 2018-09-19

Details

Check Text ( C-42338r1_chk )
# pam-config -q --pwhistory
If the result is not’ password: remember=5’ or higher, then this is a finding.

# ls /etc/security/opasswd
If /etc/security/opasswd does not exist, then this is a finding.

# grep password /etc/pam.d/common-password| grep pam_pwhistory.so | grep remember
If the "remember" option in /etc/pam.d/common-password is not 5 or greater, this is a finding.
Fix Text (F-38316r1_fix)
Create the password history file.
# touch /etc/security/opasswd
# chown root:root /etc/security/opasswd
# chmod 0600 /etc/security/opasswd

Configure pam to use password history.
# pam-config -a --pwhistory
# pam-config -a --pwhistory-remember=5