Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== 5.3.3 Ensure password reuse is limited (Scored) ====== =====Profile Applicability===== <code> Level 1 - Server Level 1 - Workstation </code> =====Description===== The ''/etc/security/opasswd'' file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords. =====Rationale===== Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. \\ Note that these change only apply to accounts configured on the local system. =====Audit===== Run the following commands and ensure the remember option is '5' or more and included in all results: <Code:bash> # egrep '^password\s+sufficient\s+pam_unix.so' /etc/pam.d/password-auth password sufficient pam_unix.so remember=5 # egrep '^password\s+sufficient\s+pam_unix.so' /etc/pam.d/system-auth password sufficient pam_unix.so remember=5 </Code> =====Remediation===== Edit the ''/etc/pam.d/password-auth'' and ''/etc/pam.d/system-auth'' files to include the ''remember'' option and conform to site policy as shown: <Code:bash> password sufficient pam_unix.so remember=5 </Code> =====Notes===== Additional module options may be set, recommendation only covers those listed here. centos7/5/3/3.txt Last modified: 2017/05/05 18:43by Piotr Kłoczewski