According to STIG ID RHEL-07-010270, the pam_unix.so entry in system-auth should apply the
remember= value to limit password reuse.
However, upon applying the SSG scap checks and remediations, I noticed that I was unable
to change my password when forcing all account passwords to be changed at the next login.
So upon doing some searching, I discovered this:
https://bugzilla.redhat.com/show_bug.cgi?id=1412838
Tomaz included a statement at the end as follows:
"Please use pam_pwhistory instead of adding remember option to pam_unix. There is no
way to make that remember option of pam_unix properly supported with SELinux."
Can we please report this issue up to DISA and recommend changing the requirement to
require pam_pwhistory versus pam_unix?
Best regards,
Trey Henefield, CISSP
Senior IAVA Engineer
Ultra Electronics
Advanced Tactical Systems, Inc.
4101 Smith School Road
Building IV, Suite 100
Austin, TX 78744 USA
Trey.Henefield@ultra-ats.com<mailto:Trey.Henefield@ultra-ats.com>
Tel: +1 512 327 6795 ext. 647
Fax: +1 512 327 8043
Mobile: +1 512 541 6450
www.ultra-ats.com<http://www.ultra-ats.com>
Disclaimer
The information contained in this communication from trey.henefield(a)ultra-ats.com sent at
2017-06-21 15:02:03 is confidential and may be legally privileged.
It is intended solely for use by scap-security-guide(a)lists.fedorahosted.org and others
authorized to receive it. If you are not scap-security-guide(a)lists.fedorahosted.org you
are hereby notified that
any disclosure, copying, distribution or taking action in reliance of the contents of this
information is strictly prohibited and may be unlawful.