← Rules Catalog
mediumaccess-controlverified rollback-safe

Ensure password history remember is configured

pam-pwhistory-remember · RHEL ≥ 8 · 1 impl

Description

Password history must be configured to prevent reuse.

Rationale

Without password history, users could alternate between a small set of passwords, reducing security.

Check → Remediate

Checkcommand
grep -qE '^\s*remember\s*=\s*([5-9]|[1-9][0-9]+)' /etc/security/pwhistory.conf 2>/dev/null || grep -qE 'pam_pwhistory\.so.*remember=([5-9]|[1-9][0-9]+)' /etc/pam.d/system-auth
expected_exit:
0
Remediateconfig_set
path:
/etc/security/pwhistory.conf
key:
remember
value:
{{ password_remember }}
separator:
=

Framework references

CIS

rhel9 5.3.3.3.1rhel10 5.3.2.3.1rhel8 5.3.3.3.1

NIST 800-53

IA-5

Live verification

rhel10:checkrhel8:checkrhel9:check
#pam#password#history