Skip to content

5.3.3.3.1 Ensure password history remember is configured

Audit#

Run the following command and verify: - The pwhistory line in /etc/pam.d/common-password includes remember= - The value of is 24 or more - The value meets local site policy 

# grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?remember=\d+\b' /etc/pam.d/common-password

Output should be similar to: 

password requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok

Remediation#

Run the following command: 

# awk '/Password-Type:/{ f = 1;next } /-Type:/{ f = 0 } f {if (/pam_pwhistory\.so/) print FILENAME}' /usr/share/pam-configs/*

Edit any returned files and edit or add the remember= argument, with a value of 24 or more, that meets local site policy to the pam_pwhistory line in the Password section: Example File: 

Name: pwhistory password history checking
Default: yes
Priority: 1024
Password-Type: Primary
Password:
requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok # <- **ensure line includes remember=<N>**

Run the following command to update the files in the /etc/pam.d/ directory: 

# pam-auth-update --enable <MODIFIED_PROFILE_NAME>

Example: 

# pam-auth-update --enable pwhistory