Title

The system must prohibit the reuse of passwords to 15 iterations. (Cat II impact)

Discussion

If a user, or root, used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it would provide a potential intruder with the opportunity to keep guessing at the user's password until it was guessed correctly.

Check Content

Open a terminal session and use the following command to view the setting for password history. sudo pwpolicy -n -getglobalpolicy | tr " " "\n" | grep usingHistory If the value of usingHistory is less than 15, this is a finding. NOTE: If the command returns a response of password server is not configured, the system is not managed. Use the following command for non-managed systems. pwpolicy -n /Local/Default -getglobalpolicy | tr " " "\n" | grep usingHistory

Fix Text

Open a terminal session and use the following command to set the value for usingHistory. sudo pwpolicy -n -setglobalpolicy "usingHistory=15" NOTE: For non-managed system, use the following command. pwpolicy -n /Local/Default -setglobalpolicy "usingHistory=15"

Additional Identifiers

Rule ID: SV-38632r1_rule

Vulnerability ID: V-4084

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.