{"description": "Do not allow users to reuse recent passwords. This can be accomplished by using the\n<tt>remember</tt> option for the <tt>pam_pwhistory</tt> PAM module.\n<br/><br/>\n\nOn systems with newer versions of <tt>authselect</tt>, the <tt>pam_pwhistory</tt> PAM module\ncan be enabled via authselect feature:\n<pre>authselect enable-feature with-pwhistory</pre>\n\nOtherwise, it should be enabled using an authselect custom profile.\n<br/><br/>\nNewer systems also have the <tt>/etc/security/pwhistory.conf</tt> file for setting\n<tt>pam_pwhistory</tt> module options. This file should be used whenever available.\nOtherwise, the <tt>pam_pwhistory</tt> module options can be set in PAM files.\n<br/><br/>\nThe value for <tt>remember</tt> option must be equal or greater than\n<sub idref=\"var_password_pam_remember\" />", "rationale": "Preventing reuse of previous passwords helps ensure that a compromised password is not\nreused by a user.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16", "5"], "cjis": ["5.6.2.1.1"], "cobit5": ["DSS05.04", "DSS05.05", "DSS05.07", "DSS05.10", "DSS06.03", "DSS06.10"], "cui": ["3.5.8"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.2", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1"], "iso27001-2013": ["A.18.1.4", "A.7.1.1", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["IA-5(f)", "IA-5(1)(e)"], "nist-csf": ["PR.AC-1", "PR.AC-6", "PR.AC-7"], "pcidss": ["Req-8.2.5"], "srg": ["SRG-OS-000077-GPOS-00045"], "pcidss4": ["8.3.7", "8.3"]}, "control_references": {"pcidss4": ["8.3.7", "8.3"]}, "components": [], "identifiers": {}, "ocil_clause": "the pam_pwhistory.so module is not used, the \"remember\" module option is not set in\n/etc/pam.d/system-auth or in /etc/security/pwhistory.conf, or is set in both files, or is set\nwith a value less than \"<sub idref=\"var_password_pam_remember\" />\"", "ocil": "Verify Ubuntu 22.04 use the \"pam_pwhistory.so\" module in the /etc/pam.d/system-auth file\nand is configured to prohibit password reuse for a minimum of <sub idref=\"var_password_pam_remember\" />\ngenerations.\n\nVerify the \"/etc/pam.d/system-auth\" file with the following command:\n\n<pre>$ grep pam_pwhistory.so /etc/pam.d/system-auth\npassword <sub idref=\"var_password_pam_remember_control_flag\" /> pam_pwhistory.so use_authtok remember=<sub idref=\"var_password_pam_remember\" /></pre>\n\n\nVerify the \"/etc/security/pwhistory.conf\" file using the following command:\n\n<pre>$ grep remember /etc/security/pwhistory.conf\nremember = <sub idref=\"var_password_pam_remember\" /></pre>\n\nThe pam_pwhistory.so \"remember\" option must be configured only in one file.", "oval_external_content": null, "fixtext": "Configure the Ubuntu 22.04 system-auth file to use \"pam_pwhistory.so\" module and prohibit\npassword reuse for a minimum of <sub idref=\"var_password_pam_remember\" /> generations.\n\n\nFirst ensure the pam_pwhistory.so module is enabled in the password section of \"/etc/pam.d/system-auth\":\n<pre>password <sub idref=\"var_password_pam_remember_control_flag\" /> pam_pwhistory.so use_authtok</pre>\n\nIf the \"/etc/security/pwhistory.conf\" is present in the system, use it to set the \"remember\" option:\n<pre>remember = <sub idref=\"var_password_pam_remember\" /></pre>\n\nOtherwise, include the \"remember\" option in \"/etc/pam.d/system-auth\" file:\n<pre>password <sub idref=\"var_password_pam_remember_control_flag\" /> pam_pwhistory.so use_authtok remember=<sub idref=\"var_password_pam_remember\" /></pre>\n\nNote:\nIn newer versions of authselect, the \"pam_pwhistory.so\" module can be easily enabled via\nauthselect feature using the following command:\n<pre>authselect enable-feature with-pwhistory</pre>", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations.", "warnings": [{"general": "If the system relies on <tt>authselect</tt> tool to manage PAM settings, the remediation\nwill also use <tt>authselect</tt> tool. However, if any manual modification was made in\nPAM files, the <tt>authselect</tt> integrity check will fail and the remediation will be\naborted in order to preserve intentional changes. In this case, an informative message will\nbe shown in the remediation report."}, {"general": "Newer versions of <tt>authselect</tt> contain an authselect feature to easily and properly\nenable <tt>pam_pwhistory.so</tt> module. If this feature is not yet available in your\nsystem, an authselect custom profile must be used to avoid integrity issues in PAM files."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations.", "vuldiscussion": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.\n\nUbuntu 22.04 uses \"pwhistory\" consecutively as a mechanism to prohibit password reuse. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth\n\nNote that manual changes to the listed files may be overwritten by the \"authselect\" program.", "checktext": "Verify Ubuntu 22.04 is configured in the system-auth file to prohibit password reuse for a minimum of five generations with the following command:\n\n$ grep -i remember /etc/pam.d/system-auth\n\npassword required pam_pwhistory.so use_authtok remember=5 retry=3\n\nIf the line containing \"pam_pwhistory.so\" does not have the \"remember\" module argument set, is commented out, or the value of the \"remember\" module argument is set to less than \"5\", this is a finding.", "fixtext": "Configure the Ubuntu 22.04 system-auth file to prohibit password reuse for a minimum of five generations.\n\nAdd the following line in \"/etc/pam.d/system-auth\" (or modify the line to have the required value):\n\npassword required pam_pwhistory.so use_authtok remember=5 retry=3"}}, "platform": "package[pam]", "platforms": ["package[pam]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_pam"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Limit Password Reuse: system-auth", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml", "template": null}