Profile Applicability:
• Level 1
Description:
Configuring password history remember enforces that users cannot reuse a specified number of their previous passwords. This policy strengthens password security by preventing password recycling.
Rationale:
Enforcing password history reduces the risk of compromised accounts due to reused or predictable passwords, enhancing overall authentication security.
Impact:
Pros:
Prevents password reuse, encouraging stronger and more unique passwords.
Supports compliance with security standards and best practices.
Cons:
Users may face difficulty recalling unique passwords, possibly increasing support requests.
Default Value:
Password history enforcement may not be configured by default.
Pre-requisites:
Root or sudo privileges to modify PAM configuration files.
Remediation:
Test Plan:
Using Linux command line:
- Verify PAM configuration includes password history settings:
grep pam_pwhistory /etc/pam.d/system-auth grep pam_pwhistory /etc/pam.d/common-password
Confirm presence of remember=<number> option (e.g., remember=5).
Implementation Plan:
Using Linux command line:
1. Edit the relevant PAM configuration file (e.g., /etc/pam.d/system-auth or /etc/pam.d/common-password):
vi /etc/pam.d/system-auth
2. Add or update the line to include the remember parameter:
password required pam_pwhistory.so use_authok remember=5 enforce_for_root
3. Save the file.
Backout Plan:
Using Linux command line:
Remove or modify the remember parameter if necessary.
Test password changes to ensure proper functionality.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
pam_pwhistory Documentation