← Back to Nutanix AOS 5.20.x OS Security Technical Implementation Guide

V-254220

CAT II (Medium)

Nutanix AOS must prohibit password reuse for a minimum of five generations.

Rule ID

SV-254220r982201_rule

STIG

Nutanix AOS 5.20.x OS Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000200

Discussion

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.

Check Content

Confirm Nutanix AOS is configured to prohibit password reuse for a minimum of five generations.

$ sudo grep -i remember /etc/pam.d/system-auth /etc/pam.d/password-auth
password requisite pam_pwhistory.so use_authtok remember=5 retry=3

If the line containing the "pam_pwhistory.so" line does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.

Fix Text

Configure the password maximum age by running the following command:

$ sudo salt-call state.sls security/CVM/pamCVM