--- title: Avoid using remember in pam_unix module description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > Datadog Security > OOTB Rules > Avoid using remember in pam_unix module --- # Avoid using remember in pam_unix module ## Description{% #description %} The `remember` option stores the last n passwords for each user in `/etc/security/opasswd`, enforcing password history and preventing users from reusing the same passwords. However, this feature relies on the MD5 password hash algorithm, which is less secure. Instead, the `pam_pwhistory` module should be used. This module also stores the last n passwords in `/etc/security/opasswd` and it uses the password hash algorithm configured in the pam_unix module, such as yescrypt or SHA512, offering enhanced security. On Debian-based systems, the `remember` option should be removed from the PAM configuration in `/etc/pam.d/common-*` files. ## Rationale{% #rationale %} Removing the `remember` argument ensures the use of a stronger password hashing algorithm. A more robust hash algorithm increases the difficulty for attackers to crack stored passwords in `/etc/security/opasswd`, thereby improving system security and protecting user credentials. ## Remediation{% #remediation %} ### Shell script{% #shell-script %} The following script can be run on the host to remediate the issue. ```bash #!/bin/bash # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'libpam-runtime' 2>/dev/null | grep -q '^installed$'; then # Debian-based systems: Use pam-auth-update conf_name=cac_unix conf_path="/usr/share/pam-configs" if [ ! -f "$conf_path"/"$conf_name" ]; then if [ -f "$conf_path"/unix ]; then if grep -q "$(md5sum "$conf_path"/unix | cut -d ' ' -f 1)" /var/lib/dpkg/info/libpam-runtime.md5sums;then cp "$conf_path"/unix "$conf_path"/"$conf_name" sed -i 's/Priority: [0-9]\+/Priority: 257\ Conflicts: unix/' "$conf_path"/"$conf_name" DEBIAN_FRONTEND=noninteractive pam-auth-update else echo "Not applicable - checksum of $conf_path/unix does not match the original." >&2 fi else echo "Not applicable - $conf_path/unix does not exist" >&2 fi fi config_file="/usr/share/pam-configs/cac_unix" sed -i -E '/^Password(-Initial)?:/,/^[^[:space:]]/ { /pam_unix\.so/ { s/\s*\bremember=\d+\b//g } }' "$config_file" DEBIAN_FRONTEND=noninteractive pam-auth-update else >&2 echo 'Remediation is not applicable, nothing was done' fi ``` ### Ansible playbook{% #ansible-playbook %} The following playbook can be run with Ansible to remediate the issue. ```go - name: Gather the package facts package_facts: manager: auto tags: - accounts_password_pam_unix_no_remember - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - name: Avoid using remember in pam_unix module - Remove remember option from pam_unix.so ansible.builtin.replace: dest: '{{ item }}' regexp: (\s+pam_unix\.so.*)\s+remember=\d+\b(.*) replace: \1\2 loop: - /etc/pam.d/common-password - /etc/pam.d/common-auth - /etc/pam.d/common-account - /etc/pam.d/common-session - /etc/pam.d/common-session-noninteractive when: '"libpam-runtime" in ansible_facts.packages' tags: - accounts_password_pam_unix_no_remember - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed ``` ## Warning{% #warning %} If the system relies on `authselect` tool to manage PAM settings, the remediation will also use `authselect` tool. However, if any manual modification was made in PAM files, the `authselect` integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report.