Profile Applicability:
• Level 1
Description:
The pam_pwhistory module tracks users' previous passwords and prevents reuse of recent passwords. Enabling this module helps enforce password uniqueness, reducing the risk of password cycling attacks.
Rationale:
Preventing reuse of recent passwords enhances password security by ensuring users regularly change their passwords to new, unique values.
Impact:
Pros:
Enforces password uniqueness and strengthens password policies.
Helps prevent common password reuse vulnerabilities.
Cons:
May increase password management overhead for users.
Default Value:
The pam_pwhistory module may not be enabled by default and requires explicit configuration.
Pre-requisites:
Root or sudo privileges to modify PAM configuration.
Remediation:
Test Plan:
Using Linux command line:
- Check PAM configuration files (e.g., /etc/pam.d/system-auth or /etc/pam.d/common-password) for pam_pwhistory module:
grep pam_pwhistory /etc/pam.d/system-auth grep pam_pwhistory /etc/pam.d/common-password
Verify the module is present and configured with appropriate options.
Implementation Plan:
Using Linux command line:
1. Edit PAM password configuration file:
vi /etc/pam.d/system-auth
2. Add or ensure the following line exists to enable pam_pwhistory:
password required pam_pwhistory.so use_authok remember=5 enforce_for_root
remember=5 prevents reuse of the last 5 passwords.
enforce_for_root applies the policy to the root user.
Save the file.
Backout Plan:
Using Linux command line:
Remove or comment out the pam_pwhistory line if needed.
Test password changes to verify the impact.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
pam_pwhistory Documentation