According to STIG ID RHEL-07-010270, the pam_unix.so entry in system-auth should apply the remember= value to limit password reuse.
However, upon applying the SSG scap checks and remediations, I noticed that I was unable to change my password when forcing all account passwords to be changed at the next login. So upon doing some searching, I discovered this: https://bugzilla.redhat.com/show_bug.cgi?id=1412838 Tomaz included a statement at the end as follows: "Please use pam_pwhistory instead of adding remember option to pam_unix. There is no way to make that remember option of pam_unix properly supported with SELinux." Can we please report this issue up to DISA and recommend changing the requirement to require pam_pwhistory versus pam_unix? Best regards, Trey Henefield, CISSP Senior IAVA Engineer Ultra Electronics Advanced Tactical Systems, Inc. 4101 Smith School Road Building IV, Suite 100 Austin, TX 78744 USA [email protected]<mailto:[email protected]> Tel: +1 512 327 6795 ext. 647 Fax: +1 512 327 8043 Mobile: +1 512 541 6450 www.ultra-ats.com<http://www.ultra-ats.com> Disclaimer The information contained in this communication from [email protected] sent at 2017-06-21 15:02:03 is confidential and may be legally privileged. It is intended solely for use by [email protected] and others authorized to receive it. If you are not [email protected] you are hereby notified that any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful.
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
