From Oracle Linux 5 Security Technical Implementation Guide
Part of GEN000800
Associated with: CCI-000200
If a user, or root, used the same password continuously or was allowed to change it back shortly after being forced to change it to something else, it would provide a potential intruder with the opportunity to keep guessing at one user's password until it was guessed correctly.
# ls /etc/security/opasswd If /etc/security/opasswd does not exist, then this is a finding. # grep password /etc/pam.d/system-auth| egrep '(pam_pwhistory.so|pam_unix.so|pam_cracklib.so)' | grep remember If the "remember" option in /etc/pam.d/system-auth is not 5 or greater, this is a finding. Check for system-auth-ac inclusions. # grep -c system-auth-ac /etc/pam.d/* If the system-auth-ac file is included anywhere # more /etc/pam.d/system-auth-ac | grep password | egrep '(pam_pwhistory.so|pam_unix.so|pam_cracklib.so)' | grep remember If in /etc/pam.d/system-auth-ac is referenced by another file and the "remember" option is not set to 5 or greater this is a finding.
Create the password history file. # touch /etc/security/opasswd # chown root:root /etc/security/opasswd # chmod 0600 /etc/security/opasswd Enable password history. If /etc/pam.d/system-auth references /etc/pam.d/system-auth-ac refer to the man page for system-auth-ac for a description of how to add options not configurable with authconfig. Edit /etc/pam.d/system-auth to include the remember option on any "password pam_unix" or "password pam_pwhistory" lines set to at least 5.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer