← Back to VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide

V-258822

CAT II (Medium)

The Photon operating system must prohibit password reuse for a minimum of five generations.

Rule ID

SV-258822r933527_rule

STIG

VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000200

Discussion

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.

Check Content

At the command line, run the following commands to verify passwords are not reused for a minimum of five generations:

# grep '^password.*pam_pwhistory.so' /etc/pam.d/system-password

Example result:

password required pam_pwhistory.so remember=5 retry=3 enforce_for_root use_authtok

If the "remember" option is not set to "5" or greater, this is a finding.

Fix Text

Navigate to and open:

/etc/pam.d/system-password

Configure the pam_pwhistory.so line to have the "remember" option set to 5 or greater as follows:

password required pam_pwhistory.so remember=5 retry=3 enforce_for_root use_authtok

Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.