CCE-99403-8Platform: cpe:/o:debian:debian_linux:11.x, cpe:/o:ubuntu:ubuntu_linux:22.04, cpe:/o:ubuntu:ubuntu_linux:23.04 | Date: (C)2023-02-09 (M)2023-09-01 |
Description: The `/etc/security/opasswd` file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords. Rationale: Forcing users not to reuse their past 24 passwords make it less likely that an attacker will be able to guess the password.Note that these change only apply to accounts configured on the local system. Audit: Run the following commands and ensure the `remember` option is '`24`' or more and included in all results:# grep -E '^passwords+requireds+pam_unix.so' /etc/pam.d/common-passwordpassword required pam_pwhistory.so remember=24 Remediation: Edit the `/etc/pam.d/common-password` file to include the `remember` option and conform to site policy as shown:password [success=2 default=ignore] pam_unix.so remember=5.
Parameter:
[number of last passwords to remember]
Technical Mechanism:
Set the pam_unix.so remember parameter to 5 in /etc/pam.d/common-password:
password sufficient pam_unix.so remember=5
Note: The default password setting in this document is the last 5 passwords. Change this number to conform to your sites password policy.
CCSS Severity: | CCSS Metrics: |
CCSS Score : 9.8 | Attack Vector: NETWORK |
Exploit Score: 3.9 | Attack Complexity: LOW |
Impact Score: 5.9 | Privileges Required: NONE |
Severity: CRITICAL | User Interaction: NONE |
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:87267 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:85107 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:92184 |