SV-221685r603260_rule
V-221685
SRG-OS-000077-GPOS-00045
OL07-00-010270
CAT II
10
Configure the operating system to prohibit password reuse for a minimum of five generations.
Add the following line in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" (or modify the line to have the required value):
password requisite pam_pwhistory.so use_authtok remember=5 retry=3
Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.
Verify the operating system prohibits password reuse for a minimum of five generations.
Check for the value of the "remember" argument in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" with the following command:
# grep -i remember /etc/pam.d/system-auth /etc/pam.d/password-auth
password requisite pam_pwhistory.so use_authtok remember=5 retry=3
If the line containing the "pam_pwhistory.so" line does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.
V-221685
False
OL07-00-010270
Verify the operating system prohibits password reuse for a minimum of five generations.
Check for the value of the "remember" argument in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" with the following command:
# grep -i remember /etc/pam.d/system-auth /etc/pam.d/password-auth
password requisite pam_pwhistory.so use_authtok remember=5 retry=3
If the line containing the "pam_pwhistory.so" line does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.
M
4089