Tri-Lab Operating System Stack (TOSS) 4 STIG Version Comparison

There are 10 differences between versions v1 r2 (Aug. 29, 2022) (the "left" version) and v2 r1 (July 24, 2024) (the "right" version).

Check TOSS-04-040130 was removed from the benchmark in the "right" version. The text below reflects the old wording.

This check's original form is available here.

Title

TOSS must prohibit password reuse for a minimum of five generations.

Check Content

Verify TOSS prohibits password reuse for a minimum of five generations. Check for the value of the "remember" argument in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" with the following command: $ sudo grep -i remember /etc/pam.d/system-auth /etc/pam.d/password-auth /etc/pam.d/system-auth:password required pam_pwhistory.so use_authtok remember=5 retry=3 /etc/pam.d/password-auth:password required pam_pwhistory.so use_authtok remember=5 retry=3 If either file is missing "pam_pwhistory.so" and does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.

Discussion

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.

Fix

Configure TOSS to prohibit password reuse for a minimum of five generations. Add the following line in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" (or modify the line to have the required value): password required pam_pwhistory.so use_authtok remember=5 retry=3