✎ 5.3.3 Ensure password reuse is limited (Scored) [SecScan]

This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong.

====== 5.3.3 Ensure password reuse is limited (Scored) ======
=====Profile Applicability=====  
<code>
Level 1 - Server 
Level 1 - Workstation
</code>
=====Description=====
The ''/etc/security/opasswd'' file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords.
=====Rationale=====
Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. \\
Note that these change only apply to accounts configured on the local system.
=====Audit===== 
Run the following commands and ensure the remember option is '5' or more and included in all results:
<Code:bash>
# egrep '^password\s+sufficient\s+pam_unix.so' /etc/pam.d/password-auth
password sufficient pam_unix.so remember=5 
# egrep '^password\s+sufficient\s+pam_unix.so' /etc/pam.d/system-auth
password sufficient pam_unix.so remember=5
</Code>
=====Remediation===== 
Edit the ''/etc/pam.d/password-auth'' and ''/etc/pam.d/system-auth'' files to include the ''remember'' option and conform to site policy as shown:
<Code:bash>
password sufficient pam_unix.so remember=5
</Code>
=====Notes===== 
Additional module options may be set, recommendation only covers those listed here.