Check: OL6-00-000274
Oracle Linux 6 STIG:
OL6-00-000274
(in versions v2 r7 through v1 r13)
Title
The system must prohibit the reuse of passwords within five iterations. (Cat II impact)
Discussion
Preventing reuse of previous passwords helps ensure that a compromised password is not reused by a user.
Check Content
To verify the password reuse setting is compliant, run the following command: # grep remember /etc/pam.d/system-auth /etc/pam.d/password-auth The output must be a line beginning with "password required pam_pwhistory.so" and ending with "remember=5". If the line is commented out, the line does not contain the specified elements, or the value for "remember" is less than “5”, this is a finding.
Fix Text
Do not allow users to reuse recent passwords. This can be accomplished by using the "remember" option for the "pam_pwhistory" PAM module. In the file "/etc/pam.d/system-auth", append "remember=5" to the line which refers to the "pam_pwhistory.so" module, as shown: password required pam_pwhistory.so [existing_options] remember=5 The DoD requirement is five passwords.
Additional Identifiers
Rule ID: SV-209012r793733_rule
Vulnerability ID: V-209012
Group Title: SRG-OS-000077
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000200 |
The information system prohibits password reuse for the organization-defined number of generations. |
Controls
Number | Title |
---|---|
IA-5 (1) |
Password-Based Authentication |