{"description": "The <tt>remember</tt> option stores the last n passwords for each user in <tt>/etc/security/opasswd</tt>,\nenforcing password history and preventing users from reusing the same passwords. However, this feature\nrelies on the MD5 password hash algorithm, which is less secure. Instead, the <tt>pam_pwhistory</tt>\nmodule should be used. This module also stores the last n passwords in <tt>/etc/security/opasswd</tt>\nand it uses the password hash algorithm configured in the pam_unix module, such as yescrypt or SHA512,\noffering enhanced security.\n\n<br/><br/>\nOn Debian-based systems, the <tt>remember</tt> option should be removed from the PAM configuration\nin <tt>/etc/pam.d/common-*</tt> files.", "rationale": "Removing the <tt>remember</tt> argument ensures the use of a stronger password hashing algorithm.\nA more robust hash algorithm increases the difficulty for attackers to crack stored\npasswords in <tt>/etc/security/opasswd</tt>, thereby improving system security and\nprotecting user credentials.", "severity": "medium", "references": {"cis": ["5.3.3.4.2"]}, "control_references": {"cis": ["5.3.3.4.2"]}, "components": [], "identifiers": {}, "ocil_clause": "the remember option is found in pam_unix.so configuration", "ocil": "To verify that the <tt>remember</tt> option is not present in <tt>pam_unix.so</tt> configuration,\nrun the following command:\n\n<pre>$ grep -rE \"^\\s*password\\s+.*pam_unix\\.so.*\\bremember=\" /etc/pam.d/common-*</pre>\n\nThe command should not return any output. If any lines are returned, it means the <tt>remember</tt>\noption is configured in <tt>pam_unix.so</tt>, which is not compliant with this requirement.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "If the system relies on <tt>authselect</tt> tool to manage PAM settings, the remediation\nwill also use <tt>authselect</tt> tool. However, if any manual modification was made in\nPAM files, the <tt>authselect</tt> integrity check will fail and the remediation will be\naborted in order to preserve intentional changes. In this case, an informative message will\nbe shown in the remediation report."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "package[pam]", "platforms": ["package[pam]"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["package_pam"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Avoid using remember in pam_unix module", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/rule.yml", "template": null}