Skip to content

5.3.2.4 Ensure pam_history module is enabled

Audit#

Run the following command to verify that pam_pwhistory is enabled: 

# grep -P -- '\bpam_pwhistory\.so\b' /etc/pam.d/common-password

Output should be similar to: 

password requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok

Remediation#

Run the following script to verify the pam_pwquality.so line exists in a pam-auth-update profile: 

# grep -P -- '\bpam_pwhistory\.so\b' /usr/share/pam-configs/*

Output should be similar to: 

/usr/share/pam-configs/pwhistory: requisite enforce_for_root try_first_pass use_authtok

- IF - similar output is returned: Run the following command to update /etc/pam.d/common-password with the returned profile: 

# pam-auth-update --enable {PROFILE_NAME}

Example: 

# pam-auth-update pwhistory

- IF - similar output is NOT returned: Create a pwhistory profile in /usr/share/pam-configs/ with the following lines: 

Name: pwhistory password history checking
Default: yes
Priority: 1024
Password-Type: Primary
Password: requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok

Example: 

1
2
3
4
5
6
#!/usr/bin/env bash
{
arr=('Name: pwhistory password history checking' 'Default: yes' 'Priority: 1024' 'Password-Type: Primary' 'Password:' ' requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok')
printf '%s\n' "${arr[@]}" > /usr/share/pam-configs/pwhistory
}
}

Run the following command to update the /etc/pam.d/common-password with the pwhistory profile: 

# pam-auth-update --enable pwhistory

Note: - The name used for the file must be used in the pam-auth-update --enable command - The Name: line should be easily recognizable and understood - The Priority: Line is important as it effects the order of the lines in the /etc/pam.d/ files - If a site specific custom profile is being used in your environment to configure PAM that includes the configuration for the pam_pwhistory module, enable that module instead