Closed DianaMariaDDM closed 3 months ago
hi @DianaMariaDDM
Thank you for taking the time to raise this issue and related PR. I have been looking for the configuration you are referring. While we are aware it needs the pwhistory library added. This Is not shown in the remediation steps for downloaded pdf for the benchmark for released 1.0.0, the artifact 5.4.3.1 is only available on the online version While looking at the online version of the same document it mentions the configurations you have mentioned and the pwhistory library. We will investigate this issue further and look to get the PR approved asap.
many thanks
uk-bolly
I believe that this issue has been addressed and the fix merged? I will close this issue, please feel free to reopen or raise a new one if this particular problem still exists.
Many thanks
uk-bolly
Describe the Issue Wrong implementation of the settings required by CIS
Expected Behavior CIS clearly states in its assessments that for this rule ("Ensure password reuse is limited") the
password required pam_pwhistory.so use_authtok remember=5
line should be placed directly above thepassword [success=1 default=ignore] pam_unix.so obscure yescrypt
line in the "/etc/pam.d/common-password file".Actual Behavior With the current situation, only this line
password [success=1 default=ignore] pam_unix.so obscure
gets edited in the file by addingremember=5
. CIS does not consider this as compliant.Control(s) Affected 5.4.3
Ensure password reuse is limited
Environment (please complete the following information):
Additional Notes Anything additional goes here
Possible Solution The solution will be provided in a PR.