{"description": "Do not allow users to reuse recent passwords. This can be accomplished by using the\n<tt>remember</tt> option for the <tt>pam_pwhistory</tt> PAM module.\n<br/><br/>\n\nOn systems with newer versions of <tt>authselect</tt>, the <tt>pam_pwhistory</tt> PAM module\ncan be enabled via authselect feature:\n<pre>authselect enable-feature with-pwhistory</pre>\n\nOtherwise, it should be enabled using an authselect custom profile.\n<br/><br/>\nNewer systems also have the <tt>/etc/security/pwhistory.conf</tt> file for setting\n<tt>pam_pwhistory</tt> module options. This file should be used whenever available.\nOtherwise, the <tt>pam_pwhistory</tt> module options can be set in PAM files.\n<br/><br/>\nThe value for <tt>remember</tt> option must be equal or greater than\n<sub idref=\"var_password_pam_remember\" />", "rationale": "Preventing reuse of previous passwords helps ensure that a compromised password is not\nreused by a user.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16", "5"], "cjis": ["5.6.2.1.1"], "cobit5": ["DSS05.04", "DSS05.05", "DSS05.07", "DSS05.10", "DSS06.03", "DSS06.10"], "cui": ["3.5.8"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.2", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1"], "iso27001-2013": ["A.18.1.4", "A.7.1.1", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["IA-5(f)", "IA-5(1)(e)"], "nist-csf": ["PR.AC-1", "PR.AC-6", "PR.AC-7"], "pcidss": ["Req-8.2.5"], "srg": ["SRG-OS-000077-GPOS-00045"], "pcidss4": ["8.3.7", "8.3"]}, "control_references": {"pcidss4": ["8.3.7", "8.3"]}, "components": [], "identifiers": {}, "ocil_clause": "the pam_pwhistory.so module is not used, the \"remember\" module option is not set in\n/etc/pam.d/password-auth or in /etc/security/pwhistory.conf, or is set in both files, or is set\nwith a value less than \"<sub idref=\"var_password_pam_remember\" />\"", "ocil": "Verify Ubuntu 22.04 use the \"pam_pwhistory.so\" module in the /etc/pam.d/password-auth file\nand is configured to prohibit password reuse for a minimum of <sub idref=\"var_password_pam_remember\" />\ngenerations.\n\nVerify the \"/etc/pam.d/password-auth\" file with the following command:\n\n<pre>$ grep pam_pwhistory.so /etc/pam.d/password-auth\npassword <sub idref=\"var_password_pam_remember_control_flag\" /> pam_pwhistory.so use_authtok remember=<sub idref=\"var_password_pam_remember\" /></pre>\n\n\nVerify the \"/etc/security/pwhistory.conf\" file using the following command:\n\n<pre>$ grep remember /etc/security/pwhistory.conf\nremember = <sub idref=\"var_password_pam_remember\" /></pre>\n\nThe pam_pwhistory.so \"remember\" option must be configured only in one file.", "oval_external_content": null, "fixtext": "Configure the Ubuntu 22.04 system-auth file to use \"pam_pwhistory.so\" module and prohibit\npassword reuse for a minimum of <sub idref=\"var_password_pam_remember\" /> generations.\n\n\nFirst ensure the pam_pwhistory.so module is enabled in the password section of \"/etc/pam.d/password-auth\":\n<pre>password <sub idref=\"var_password_pam_remember_control_flag\" /> pam_pwhistory.so use_authtok</pre>\n\nIf the \"/etc/security/pwhistory.conf\" is present in the system, use it to set the \"remember\" option:\n<pre>remember = <sub idref=\"var_password_pam_remember\" /></pre>\n\nOtherwise, include the \"remember\" option in \"/etc/pam.d/password-auth\" file:\n<pre>password <sub idref=\"var_password_pam_remember_control_flag\" /> pam_pwhistory.so use_authtok remember=<sub idref=\"var_password_pam_remember\" /></pre>\n\nNote:\nIn newer versions of authselect, the \"pam_pwhistory.so\" module can be easily enabled via\nauthselect feature using the following command:\n<pre>authselect enable-feature with-pwhistory</pre>", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations.", "warnings": [{"general": "If the system relies on <tt>authselect</tt> tool to manage PAM settings, the remediation\nwill also use <tt>authselect</tt> tool. However, if any manual modification was made in\nPAM files, the <tt>authselect</tt> integrity check will fail and the remediation will be\naborted in order to preserve intentional changes. In this case, an informative message will\nbe shown in the remediation report."}, {"general": "Newer versions of <tt>authselect</tt> contain an authselect feature to easily and properly\nenable <tt>pam_pwhistory.so</tt> module. If this feature is not yet available in your\nsystem, an authselect custom profile must be used to avoid integrity issues in PAM files.\nIf a custom profile was created and used in the system before this authselect feature was\navailable, the new feature can't be used with this custom profile and the\nremediation will fail. In this case, the custom profile should be recreated or manually\nupdated."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations.", "vuldiscussion": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.\n\nUbuntu 22.04 uses \"pwhistory\" consecutively as a mechanism to prohibit password reuse. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth.\n\nNote that manual changes to the listed files may be overwritten by the \"authselect\" program.", "checktext": "Verify Ubuntu 22.04 is configured in the password-auth file to prohibit password reuse for a minimum of five generations with the following command:\n\n$ grep -i remember /etc/pam.d/password-auth\n\npassword requisite pam_pwhistory.so use_authtok remember=5 retry=3\n\nIf the line containing \"pam_pwhistory.so\" does not have the \"remember\" module argument set, is commented out, or the value of the \"remember\" module argument is set to less than \"5\", this is a finding.", "fixtext": "Configure the Ubuntu 22.04 password-auth file to prohibit password reuse for a minimum of five generations.\n\nAdd the following line in \"/etc/pam.d/password-auth\" (or modify the line to have the required value):\n\npassword requisite pam_pwhistory.so use_authtok remember=5 retry=3"}}, "platform": "package[pam]", "platforms": ["package[pam]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_pam"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Limit Password Reuse: password-auth", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml", "template": null}