{"description": "Do not allow users to reuse recent passwords. This can be accomplished by using the\nremember option for the pam_unix or pam_pwhistory PAM modules.", "rationale": "Preventing reuse of previous passwords helps ensure that a compromised password is not\nreused by a user.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16", "5"], "cjis": ["5.6.2.1.1"], "cobit5": ["DSS05.04", "DSS05.05", "DSS05.07", "DSS05.10", "DSS06.03", "DSS06.10"], "cui": ["3.5.8"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.2", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1"], "iso27001-2013": ["A.18.1.4", "A.7.1.1", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["IA-5(f)", "IA-5(1)(e)"], "nist-csf": ["PR.AC-1", "PR.AC-6", "PR.AC-7"], "pcidss": ["Req-8.2.5"], "srg": ["SRG-OS-000077-GPOS-00045"], "anssi": ["R31"], "pcidss4": ["8.3.7", "8.3"]}, "control_references": {"anssi": ["R31"], "pcidss4": ["8.3.7", "8.3"]}, "components": [], "identifiers": {}, "ocil_clause": "the value of remember is not equal to or greater than the expected value", "ocil": "To verify the password reuse setting is compliant, run the following command:\n
$ grep remember /etc/pam.d/common-password
\nThe output should show the following at the end of the line:\n
remember=
\n\n\nIn newer systems, the pam_pwhistory PAM module options can also be set in\n\"/etc/security/pwhistory.conf\" file. Use the following command to verify:\n
$ grep remember /etc/security/pwhistory.conf\nremember =
\n\nThe pam_pwhistory remember option must be configured only in one file.", "oval_external_content": null, "fixtext": "To configure the remember option for the pam_unix or pam_pwhistory\nPAM modules, in the file /etc/pam.d/common-password, append remember=\nto the line which refers to the pam_unix.so or pam_pwhistory.somodule, as\nshown below:\n\n\nIf the pam_pwhistory.so module is used and the /etc/security/pwhistory.conf\nfile is present in the system, use it to set the \"remember\" option:\n
remember =
\n\nNote:\nIn newer versions of authselect, the pam_pwhistory.so module can be easily enabled\nvia authselect feature using the following command:\n
authselect enable-feature with-pwhistory
", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must not allow passwords to be reused for a minimum of five generations.", "warnings": [{"general": "If the system relies on authselect tool to manage PAM settings, the remediation\nwill also use authselect tool. However, if any manual modification was made in\nPAM files, the authselect integrity check will fail and the remediation will be\naborted in order to preserve intentional changes. In this case, an informative message will\nbe shown in the remediation report."}, {"general": "Newer versions of authselect contain an authselect feature to easily and properly\nenable pam_pwhistory.so module. If this feature is not yet available in your\nsystem, an authselect custom profile must be used to avoid integrity issues in PAM files."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "package[libpwquality]", "platforms": ["package[libpwquality]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_libpwquality"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Limit Password Reuse", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml", "template": null}