Skip to content

Limit Password Reuse

An XCCDF Rule

Description

Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_pwhistory PAM modules.

In the file /etc/pam.d/common-password, make sure the parameters remember and use_authtok are present, and that the value for the remember parameter is or greater. For example:

password requisite pam_pwhistory.so ...existing_options... remember= use_authtok
The DoD STIG requirement is 5 passwords.

Rationale

Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.

ID
xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember
Severity
Medium
References
Updated



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-91398-8
  - accounts_password_pam_pwhistory_remember

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

declare -a VALUES=()
declare -a VALUE_NAMES=()
declare -a ARGS=()