According to STIG ID RHEL-07-010270, the pam_unix.so entry in system-auth should apply the remember= value to limit password reuse.
However, upon applying the SSG scap checks and remediations, I noticed that I was unable to change my password when forcing all account passwords to be changed at the next login.
So upon doing some searching, I discovered this:
https://bugzilla.redhat.com/show_bug.cgi?id=1412838
Tomaz included a statement at the end as follows:
"Please use pam_pwhistory instead of adding remember option to pam_unix. There is no way to make that remember option of pam_unix properly supported with SELinux."
Can we please report this issue up to DISA and recommend changing the requirement to require pam_pwhistory versus pam_unix?
Best regards,
Trey Henefield, CISSP Senior IAVA Engineer
Ultra Electronics Advanced Tactical Systems, Inc. 4101 Smith School Road Building IV, Suite 100 Austin, TX 78744 USA
Trey.Henefield@ultra-ats.commailto:Trey.Henefield@ultra-ats.com Tel: +1 512 327 6795 ext. 647 Fax: +1 512 327 8043 Mobile: +1 512 541 6450
www.ultra-ats.comhttp://www.ultra-ats.com
Disclaimer The information contained in this communication from trey.henefield@ultra-ats.com sent at 2017-06-21 15:02:03 is confidential and may be legally privileged. It is intended solely for use by scap-security-guide@lists.fedorahosted.org and others authorized to receive it. If you are not scap-security-guide@lists.fedorahosted.org you are hereby notified that any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful.
scap-security-guide@lists.fedorahosted.org