mediumaccess-controlverified ✓rollback-safe
Ensure pam_pwhistory module is enabled
pam-pwhistory-enabled · RHEL ≥ 8 · 2 impls
Description
The pam_pwhistory module should be enabled to prevent password reuse by maintaining a history of previously used passwords.
Rationale
Password history prevents users from cycling through a small set of passwords, improving overall password security.
Check → Remediate
Checkcommand
if grep -qE '^password.*pam_pwhistory\.so' /etc/pam.d/system-auth 2>/dev/null; then echo "OK: pam_pwhistory configured" exit 0 fi echo "FAIL: pam_pwhistory not enabled" exit 1
- expected_exit:
- 0
Remediatepam_module_configure
- service:
- system-auth
- module:
- pam_pwhistory.so
- type:
- password
- control:
- requisite
- args:
- use_authtok
Framework references
CIS
rhel9 5.3.2.4rhel10 5.3.1.4rhel8 5.3.2.4
NIST 800-53
IA-5
Live verification
rhel10:checkrhel8:checkrhel9:check
#pam#password#history#security