Automate remediation for pam-pwhistory-remember

[remyluslosius]

Problem

pam-pwhistory-remember is currently marked as mechanism: manual with a note to configure remember in /etc/security/pwhistory.conf or pam_pwhistory.so. This means Kensa cannot auto-remediate this rule — it shows up as manual in downstream tools like OpenWatch.

Context

The sibling rules (pam-pwhistory-enabled, pam-pwhistory-root, pam-pwhistory-use-authtok) all have automated command_exec remediation using authselect. This rule should follow the same pattern.

The check currently looks in two places:

• /etc/security/pwhistory.conf (the remember setting)
• /etc/pam.d/system-auth (the pam_pwhistory.so remember= parameter)

The correct remediation target depends on the host's PAM management approach (authselect vs direct editing vs pwhistory.conf).

Proposed Fix

Add a capability-gated implementation:

implementations:
  - when: authselect
    check: ...
    remediation:
      mechanism: command_exec
      run: |
        if grep -qE '^\s*remember\s*=' /etc/security/pwhistory.conf; then
          sed -i 's/^\s*remember\s*=.*/remember = {{ pwhistory_remember }}/' /etc/security/pwhistory.conf
        else
          echo 'remember = {{ pwhistory_remember }}' >> /etc/security/pwhistory.conf
        fi

  - default: true
    check: ...
    remediation:
      mechanism: manual
      note: "Configure remember in /etc/security/pwhistory.conf or pam_pwhistory.so"

This keeps the manual fallback for hosts without authselect while automating the common case.

References

• Rule file: rules/access-control/pam-pwhistory-remember.yml
• CIS RHEL 9 v2.0.0: Section 5.3.3.3.1
• NIST 800-53: IA-5