Limit Password Reuse

An XCCDF Rule

Description

Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_pwhistory PAM modules.

In the file /etc/pam.d/common-password, make sure the parameters remember and use_authtok are present, and that the value for the remember parameter is or greater. For example:

password requisite pam_pwhistory.so ...existing_options... remember= use_authtok

The DoD STIG requirement is 5 passwords.

Rationale

Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.

ID: xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember
Severity: Medium
References: CCI-000200

IA-5 (1).1(v) IA-5(1)(e)

SRG-OS-000077-GPOS-00045

SLES-12-010310

5.3.3

SV-217133r603262_rule

CCE-83173-5
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

declare -a VALUES=()
declare -a VALUE_NAMES=()
declare -a ARGS=()declare -a NEW_ARGS=()

var_password_pam_remember='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_password_pam_remember" use="legacy"/>'

VALUES+=("$var_password_pam_remember")
VALUE_NAMES+=("remember")
ARGS+=("")
NEW_ARGS+=("")
VALUES+=("")
VALUE_NAMES+=("")
ARGS+=("use_authtok")
NEW_ARGS+=("use_authtok")

for idx in "${!VALUES[@]}"
do
    if [ -e "/etc/pam.d/common-password" ] ; then
        valueRegex="${VALUES[$idx]}" defaultValue="${VALUES[$idx]}"
        # non-empty values need to be preceded by an equals sign
        [ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
        # add an equals sign to non-empty values
        [ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"

        # fix the value for 'option' if one exists but does not match 'valueRegex'
        if grep -q -P "^\\s*password\\s+requisite\\s+pam_pwhistory.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/common-password" ; then
            sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_pwhistory.so(\\s.+)?\\s)${VALUE_NAMES[$idx]}=[^[:space:]]*/\\1${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/common-password"

        # add 'option=default' if option is not set
        elif grep -q -E "^\\s*password\\s+requisite\\s+pam_pwhistory.so" < "/etc/pam.d/common-password" &&
                grep    -E "^\\s*password\\s+requisite\\s+pam_pwhistory.so" < "/etc/pam.d/common-password" | grep -q -E -v "\\s${VALUE_NAMES[$idx]}(=|\\s|\$)" ; then

            sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_pwhistory.so[^\\n]*)/\\1 ${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/common-password"
        # add a new entry if none exists
        elif ! grep -q -P "^\\s*password\\s+requisite\\s+pam_pwhistory.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}${valueRegex}(\\s|\$)" < "/etc/pam.d/common-password" ; then
            echo "password requisite pam_pwhistory.so ${VALUE_NAMES[$idx]}${defaultValue}" >> "/etc/pam.d/common-password"
        fi
    else
        echo "/etc/pam.d/common-password doesn't exist" >&2
    fi
done

for idx in "${!ARGS[@]}"
do
    if ! grep -q -P "^\s*password\s+requisite\s+pam_pwhistory.so.*\s+${ARGS[$idx]}\s*$" /etc/pam.d/common-password ; then
        sed --follow-symlinks -i -E -e "s/^\\s*password\\s+requisite\\s+pam_pwhistory.so.*\$/& ${NEW_ARGS[$idx]}/" /etc/pam.d/common-password
    fi
done

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83173-5
  - DISA-STIG-SLES-12-010310  - NIST-800-53-IA-5 (1).1(v)
  - NIST-800-53-IA-5(1)(e)
  - accounts_password_pam_pwhistory_remember
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_password_pam_remember # promote to variable
  set_fact:
    var_password_pam_remember: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_password_pam_remember" use="legacy"/>
  tags:
    - always

- name: Set control_flag fact
  set_fact:
    control_flag: requisite
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-83173-5
  - DISA-STIG-SLES-12-010310
  - NIST-800-53-IA-5 (1).1(v)
  - NIST-800-53-IA-5(1)(e)
  - accounts_password_pam_pwhistory_remember
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Check to see if 'pam_pwhistory.so' module is configured in '/etc/pam.d/common-password'
  shell: |
    set -o pipefail
    grep -E '^\s*password\s+\S+\s+pam_pwhistory.so' /etc/pam.d/common-password || true
  register: check_pam_module_result
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-83173-5
  - DISA-STIG-SLES-12-010310
  - NIST-800-53-IA-5 (1).1(v)
  - NIST-800-53-IA-5(1)(e)
  - accounts_password_pam_pwhistory_remember
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure 'pam_pwhistory.so' module in '/etc/pam.d/common-password'
  lineinfile:
    path: /etc/pam.d/common-password
    line: password requisite pam_pwhistory.so
    state: present
  when:
  - '"pam" in ansible_facts.packages'
  - '"pam_pwhistory.so" not in check_pam_module_result.stdout'
  tags:
  - CCE-83173-5
  - DISA-STIG-SLES-12-010310
  - NIST-800-53-IA-5 (1).1(v)
  - NIST-800-53-IA-5(1)(e)
  - accounts_password_pam_pwhistory_remember
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure 'pam_pwhistory.so' module has conforming control flag
  lineinfile:
    path: /etc/pam.d/common-password
    regexp: ^(\s*password\s+)\S+(\s+pam_pwhistory.so\s+.*)
    line: \g<1>requisite\g<2>
    backrefs: true
  when:
  - '"pam" in ansible_facts.packages'
  - control_flag|length
  tags:
  - CCE-83173-5
  - DISA-STIG-SLES-12-010310
  - NIST-800-53-IA-5 (1).1(v)
  - NIST-800-53-IA-5(1)(e)
  - accounts_password_pam_pwhistory_remember
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure "pam_pwhistory.so" module has argument "remember={{ var_password_pam_remember
    }}"
  lineinfile:
    path: /etc/pam.d/common-password
    regexp: ^(\s*password\s+requisite\s+pam_pwhistory.so(?:\s+\S+)*\s+remember=)(?:\S+)((\s+\S+)*\s*\\*\s*)$
    line: \g<1>{{ var_password_pam_remember }}\g<2>
    backrefs: true
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-83173-5
  - DISA-STIG-SLES-12-010310
  - NIST-800-53-IA-5 (1).1(v)
  - NIST-800-53-IA-5(1)(e)
  - accounts_password_pam_pwhistory_remember
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Check the presence of "remember" argument in "pam_pwhistory.so" module
  shell: |
    set -o pipefail
    grep -E '^\s*password\s+requisite\s+pam_pwhistory.so.*\s+remember(=|\s|\s*$)' /etc/pam.d/common-password || true
  register: check_pam_module_argument_result
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-83173-5
  - DISA-STIG-SLES-12-010310
  - NIST-800-53-IA-5 (1).1(v)
  - NIST-800-53-IA-5(1)(e)
  - accounts_password_pam_pwhistory_remember
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Add "remember" argument to "pam_pwhistory.so" module
  lineinfile:
    path: /etc/pam.d/common-password
    regexp: ^(\s*password\s+requisite\s+pam_pwhistory.so)((\s+\S+)*\s*(\\)*$)
    line: \g<1> remember={{ var_password_pam_remember }}\g<2>
    backrefs: true
  when:
  - '"pam" in ansible_facts.packages'
  - '"remember" not in check_pam_module_argument_result.stdout'
  tags:
  - CCE-83173-5
  - DISA-STIG-SLES-12-010310
  - NIST-800-53-IA-5 (1).1(v)
  - NIST-800-53-IA-5(1)(e)
  - accounts_password_pam_pwhistory_remember
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set argument_value fact
  set_fact:
    argument_value: ''
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-83173-5
  - DISA-STIG-SLES-12-010310
  - NIST-800-53-IA-5 (1).1(v)
  - NIST-800-53-IA-5(1)(e)
  - accounts_password_pam_pwhistory_remember
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure "pam_pwhistory.so" module has argument "use_authtok"
  lineinfile:
    path: /etc/pam.d/common-password
    regexp: ^(\s*password\s+requisite\s+pam_pwhistory.so(?:\s+\S+)*\s+use_authtok=)(?!)\S*((\s+\S+)*\s*\\*\s*)$
    line: \g<1>\g<2>
    backrefs: true
  when:
  - '"pam" in ansible_facts.packages'
  - argument_value|length
  tags:
  - CCE-83173-5
  - DISA-STIG-SLES-12-010310
  - NIST-800-53-IA-5 (1).1(v)
  - NIST-800-53-IA-5(1)(e)
  - accounts_password_pam_pwhistory_remember
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Check the presence of "use_authtok" argument in "pam_pwhistory.so" module
  shell: |
    set -o pipefail
    grep -E '^\s*password\s+requisite\s+pam_pwhistory.so.*\s+use_authtok(=|\s|\s*$)' /etc/pam.d/common-password || true
  register: check_pam_module_argument_result
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-83173-5
  - DISA-STIG-SLES-12-010310
  - NIST-800-53-IA-5 (1).1(v)
  - NIST-800-53-IA-5(1)(e)
  - accounts_password_pam_pwhistory_remember
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Add "use_authtok" argument to "pam_pwhistory.so" module
  lineinfile:
    path: /etc/pam.d/common-password
    regexp: ^(\s*password\s+requisite\s+pam_pwhistory.so)((\s+\S+)*\s*(\\)*$)
    line: \g<1> use_authtok\g<2>
    backrefs: true
  when:
  - '"pam" in ansible_facts.packages'
  - '"use_authtok" not in check_pam_module_argument_result.stdout'
  tags:
  - CCE-83173-5
  - DISA-STIG-SLES-12-010310
  - NIST-800-53-IA-5 (1).1(v)
  - NIST-800-53-IA-5(1)(e)
  - accounts_password_pam_pwhistory_remember
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Limit Password Reuse

Description

Rationale

Remediation - Shell Script

Remediation - Ansible