mediumaccess-controlverified ✓rollback-safe
Ensure password history remember is configured
pam-pwhistory-remember · RHEL ≥ 8 · 1 impl
Description
Password history must be configured to prevent reuse.
Rationale
Without password history, users could alternate between a small set of passwords, reducing security.
Check → Remediate
Checkcommand
grep -qE '^\s*remember\s*=\s*([5-9]|[1-9][0-9]+)' /etc/security/pwhistory.conf 2>/dev/null || grep -qE 'pam_pwhistory\.so.*remember=([5-9]|[1-9][0-9]+)' /etc/pam.d/system-auth
- expected_exit:
- 0
Remediateconfig_set
- path:
- /etc/security/pwhistory.conf
- key:
- remember
- value:
- {{ password_remember }}
- separator:
- =
Framework references
CIS
rhel9 5.3.3.3.1rhel10 5.3.2.3.1rhel8 5.3.3.3.1
NIST 800-53
IA-5
Live verification
rhel10:checkrhel8:checkrhel9:check
#pam#password#history