Check: ESXI-65-000032
VMware vSphere 6.5 ESXi STIG:
ESXI-65-000032
(in versions v2 r4 through v1 r1)
Title
The ESXi host must prohibit the reuse of passwords within five iterations. (Cat II impact)
Discussion
If a user, or root, used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it would provide a potential intruder with the opportunity to keep guessing at one user's password until it was guessed correctly.
Check Content
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^password" /etc/pam.d/passwd | grep sufficient If the remember setting is not set or is not "remember=5", this is a finding.
Fix Text
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in “/etc/pam.d/passwd”: password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512 remember=5
Additional Identifiers
Rule ID: SV-207633r378763_rule
Vulnerability ID: V-207633
Group Title: SRG-OS-000077-VMM-000440
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000200 |
The information system prohibits password reuse for the organization-defined number of generations. |
Controls
Number | Title |
---|---|
IA-5 (1) |
Password-Based Authentication |