diff --git a/controls/cis_rhel10.yml b/controls/cis_rhel10.yml
index 691a5b6d74a8..a3c5e90fb093 100644
--- a/controls/cis_rhel10.yml
+++ b/controls/cis_rhel10.yml
@@ -2106,13 +2106,14 @@ controls:
levels:
- l1_server
- l1_workstation
- status: pending
+ status: automated
notes: |-
Usage of pam_unix.so module together with "remember" option is deprecated and is not
- recommened by this policy. Instead, it should be used remember option of pam_pwhistory
- module, as required in 5.3.3.3.1. See here for more details about pam_unix.so:
+ recommended by this policy. Instead, it should be used remember option of pam_pwhistory
+ module, as required in 5.3.2.3.1. See here for more details about pam_unix.so:
https://bugzilla.redhat.com/show_bug.cgi?id=1778929
- A new rule needs to be created to remove the remember option from pam_unix module.
+ rules:
+ - accounts_password_pam_unix_no_remember
- id: 5.3.2.4.3
title: Ensure pam_unix includes a strong password hashing algorithm (Automated)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index a5b889cd589e..baab83b1e371 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1991,13 +1991,14 @@ controls:
levels:
- l1_server
- l1_workstation
- status: pending
+ status: automated
notes: |-
Usage of pam_unix.so module together with "remember" option is deprecated and is not
- recommened by this policy. Instead, it should be used remember option of pam_pwhistory
+ recommended by this policy. Instead, it should be used remember option of pam_pwhistory
module, as required in 4.4.3.3.1. See here for more details about pam_unix.so:
https://bugzilla.redhat.com/show_bug.cgi?id=1778929
- A new rule needs to be created to remove the remember option from pam_unix module.
+ rules:
+ - accounts_password_pam_unix_no_remember
- id: 4.4.3.4.3
title: Ensure pam_unix includes a strong password hashing algorithm (Automated)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/ansible/shared.yml
new file mode 100644
index 000000000000..6442dde33977
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/ansible/shared.yml
@@ -0,0 +1,18 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_almalinux,multi_platform_ubuntu
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = medium
+
+{{% if 'ubuntu' in product or 'debian' in product %}}
+{{%- set pam_config_paths = "['/etc/pam.d/common-password', '/etc/pam.d/common-auth', '/etc/pam.d/common-account', '/etc/pam.d/common-session', '/etc/pam.d/common-session-noninteractive']" %}}
+{{% else %}}
+{{%- set pam_config_paths = "['/etc/pam.d/system-auth', '/etc/pam.d/password-auth']" -%}}
+{{% endif %}}
+
+- name: '{{{ rule_title }}} - Remove remember option from pam_unix.so'
+ ansible.builtin.replace:
+ dest: "{{ item }}"
+ regexp: '(\s+pam_unix\.so.*)\s+remember=\d+\b(.*)'
+ replace: '\1\2'
+ loop: {{{ pam_config_paths }}}
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/bash/shared.sh
index 0793ace96683..d26921328504 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/bash/shared.sh
@@ -1,9 +1,11 @@
-# platform = multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_almalinux,multi_platform_ubuntu
# reboot = false
# strategy = configure
# complexity = low
# disruption = medium
+{{% if 'ubuntu' in product or 'debian' in product %}}
+# Debian-based systems: Use pam-auth-update
{{{ bash_pam_unix_enable() }}}
config_file="/usr/share/pam-configs/cac_unix"
sed -i -E '/^Password(-Initial)?:/,/^[^[:space:]]/ {
@@ -13,3 +15,13 @@ sed -i -E '/^Password(-Initial)?:/,/^[^[:space:]]/ {
}' "$config_file"
DEBIAN_FRONTEND=noninteractive pam-auth-update
+{{% else %}}
+# RHEL-based systems: Use authselect-aware approach
+if [ -f /usr/bin/authselect ]; then
+ {{{ bash_remove_pam_module_option_configuration('/etc/pam.d/system-auth', 'password', '', 'pam_unix.so', 'remember') }}}
+ {{{ bash_remove_pam_module_option_configuration('/etc/pam.d/password-auth', 'password', '', 'pam_unix.so', 'remember') }}}
+else
+ {{{ bash_remove_pam_module_option('/etc/pam.d/system-auth', 'password', '', 'pam_unix.so', 'remember') }}}
+ {{{ bash_remove_pam_module_option('/etc/pam.d/password-auth', 'password', '', 'pam_unix.so', 'remember') }}}
+fi
+{{% endif %}}
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/oval/shared.xml
index 81c0031d89e3..94b4e9466579 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/oval/shared.xml
@@ -12,7 +12,11 @@
+{{% if 'ubuntu' in product or 'debian' in product %}}
^/etc/pam.d/common-(password|auth|account|session|session-noninteractive)$
+{{% else %}}
+ ^/etc/pam.d/(system|password)-auth$
+{{% endif %}}
^\s*password\s+(?:(?:sufficient)|(?:required)|(?:\[.*\]))\s+pam_unix\.so[^#]+\bremember=\d+\b.*$
1
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/rule.yml
index 5c13a69aeffb..5e11fc66bb94 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/rule.yml
@@ -9,13 +9,48 @@ description: |-
module should be used. This module also stores the last n passwords in /etc/security/opasswd
and it uses the password hash algorithm configured in the pam_unix module, such as yescrypt or SHA512,
offering enhanced security.
+ {{% if 'ubuntu' in product or 'debian' in product %}}
+
+ On Debian-based systems, the remember option should be removed from the PAM configuration
+ in /etc/pam.d/common-* files.
+ {{% else %}}
+
+ The remember option should be removed from the PAM configuration
+ in /etc/pam.d/system-auth and /etc/pam.d/password-auth files.
+ {{% endif %}}
rationale: |-
Removing the remember argument ensures the use of a stronger password hashing algorithm.
A more robust hash algorithm increases the difficulty for attackers to crack stored
passwords in /etc/security/opasswd, thereby improving system security and
- protecting user credentials.
+ protecting user credentials.
severity: medium
+identifiers:
+ cce@rhel8: CCE-90728-7
+ cce@rhel9: CCE-90726-1
+ cce@rhel10: CCE-90725-3
+
platform: package[pam]
+
+warnings:
+ - general: |-
+ If the system relies on authselect tool to manage PAM settings, the remediation
+ will also use authselect tool. However, if any manual modification was made in
+ PAM files, the authselect integrity check will fail and the remediation will be
+ aborted in order to preserve intentional changes. In this case, an informative message will
+ be shown in the remediation report.
+
+ocil_clause: 'the remember option is found in pam_unix.so configuration'
+
+ocil: |-
+ To verify that the remember option is not present in pam_unix.so configuration,
+ run the following command:
+ {{% if 'ubuntu' in product or 'debian' in product %}}
+ $ grep -rE "^\s*password\s+.*pam_unix\.so.*\bremember=" /etc/pam.d/common-*
+ {{% else %}}
+ $ grep -E "^\s*password\s+.*pam_unix\.so.*\bremember=" /etc/pam.d/system-auth /etc/pam.d/password-auth
+ {{% endif %}}
+ The command should not return any output. If any lines are returned, it means the remember
+ option is configured in pam_unix.so, which is not compliant with this requirement.
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/no_remember_rhel.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/no_remember_rhel.pass.sh
new file mode 100644
index 000000000000..92ce2278b8e8
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/no_remember_rhel.pass.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux
+# packages = pam
+
+# Ensure system-auth and password-auth don't have remember option
+sed -i --follow-symlinks '/pam_unix\.so.*remember=/d' /etc/pam.d/system-auth
+sed -i --follow-symlinks '/pam_unix\.so.*remember=/d' /etc/pam.d/password-auth
+
+# Add a clean pam_unix.so line without remember if it doesn't exist
+if ! grep -q "^password.*pam_unix\.so" /etc/pam.d/system-auth; then
+ echo "password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok" >> /etc/pam.d/system-auth
+fi
+
+if ! grep -q "^password.*pam_unix\.so" /etc/pam.d/password-auth; then
+ echo "password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok" >> /etc/pam.d/password-auth
+fi
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_commented_rhel.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_commented_rhel.pass.sh
new file mode 100644
index 000000000000..f3cb36505d14
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_commented_rhel.pass.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux
+# packages = pam
+
+# Commented lines should pass (comments are ignored)
+sed -i --follow-symlinks '/pam_unix\.so.*remember=/d' /etc/pam.d/system-auth
+sed -i --follow-symlinks '/pam_unix\.so.*remember=/d' /etc/pam.d/password-auth
+
+# Add commented line with remember (should be ignored)
+echo "# password sufficient pam_unix.so sha512 shadow remember=5" >> /etc/pam.d/system-auth
+echo "# password sufficient pam_unix.so sha512 shadow remember=5" >> /etc/pam.d/password-auth
+
+# Add clean active lines without remember
+echo "password sufficient pam_unix.so sha512 shadow" >> /etc/pam.d/system-auth
+echo "password sufficient pam_unix.so sha512 shadow" >> /etc/pam.d/password-auth
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_password_auth.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_password_auth.fail.sh
new file mode 100644
index 000000000000..67d6ca691e2f
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_password_auth.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux
+# packages = pam
+
+# Add remember option to password-auth (should fail)
+if grep -q "^password.*pam_unix\.so" /etc/pam.d/password-auth; then
+ # If pam_unix.so line exists, add remember option
+ sed -i --follow-symlinks 's/\(^password.*pam_unix\.so.*\)/\1 remember=5/' /etc/pam.d/password-auth
+else
+ # If no pam_unix.so line exists, add one with remember
+ echo "password sufficient pam_unix.so sha512 shadow remember=5" >> /etc/pam.d/password-auth
+fi
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_system_auth.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_system_auth.fail.sh
new file mode 100644
index 000000000000..1914e2484f41
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_system_auth.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux
+# packages = pam
+
+# Add remember option to system-auth (should fail)
+if grep -q "^password.*pam_unix\.so" /etc/pam.d/system-auth; then
+ # If pam_unix.so line exists, add remember option
+ sed -i --follow-symlinks 's/\(^password.*pam_unix\.so.*\)/\1 remember=5/' /etc/pam.d/system-auth
+else
+ # If no pam_unix.so line exists, add one with remember
+ echo "password sufficient pam_unix.so sha512 shadow remember=5" >> /etc/pam.d/system-auth
+fi
diff --git a/products/rhel9/controls/cis_rhel9.yml b/products/rhel9/controls/cis_rhel9.yml
index e5b03ac75807..75006bd5da19 100644
--- a/products/rhel9/controls/cis_rhel9.yml
+++ b/products/rhel9/controls/cis_rhel9.yml
@@ -2035,13 +2035,14 @@ controls:
levels:
- l1_server
- l1_workstation
- status: pending
+ status: automated
notes: |-
Usage of pam_unix.so module together with "remember" option is deprecated and is not
- recommened by this policy. Instead, it should be used remember option of pam_pwhistory
+ recommended by this policy. Instead, it should be used remember option of pam_pwhistory
module, as required in 5.3.3.3.1. See here for more details about pam_unix.so:
https://bugzilla.redhat.com/show_bug.cgi?id=1778929
- A new rule needs to be created to remove the remember option from pam_unix module.
+ rules:
+ - accounts_password_pam_unix_no_remember
- id: 5.3.3.4.3
title: Ensure pam_unix includes a strong password hashing algorithm (Automated)
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 963e26fadc69..0c6a49b2a0fa 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -2421,6 +2421,3 @@ CCE-90720-4
CCE-90721-2
CCE-90722-0
CCE-90723-8
-CCE-90725-3
-CCE-90726-1
-CCE-90728-7
diff --git a/tests/data/profile_stability/rhel10/cis.profile b/tests/data/profile_stability/rhel10/cis.profile
index 353276de259e..9e32e0b0e61c 100644
--- a/tests/data/profile_stability/rhel10/cis.profile
+++ b/tests/data/profile_stability/rhel10/cis.profile
@@ -22,6 +22,7 @@ accounts_password_pam_pwhistory_use_authtok
accounts_password_pam_pwquality_password_auth
accounts_password_pam_pwquality_system_auth
accounts_password_pam_unix_authtok
+accounts_password_pam_unix_no_remember
accounts_password_set_max_life_existing
accounts_password_set_min_life_existing
accounts_password_set_warn_age_existing
diff --git a/tests/data/profile_stability/rhel10/cis_server_l1.profile b/tests/data/profile_stability/rhel10/cis_server_l1.profile
index 914598916877..c5da206d12c8 100644
--- a/tests/data/profile_stability/rhel10/cis_server_l1.profile
+++ b/tests/data/profile_stability/rhel10/cis_server_l1.profile
@@ -21,6 +21,7 @@ accounts_password_pam_pwhistory_use_authtok
accounts_password_pam_pwquality_password_auth
accounts_password_pam_pwquality_system_auth
accounts_password_pam_unix_authtok
+accounts_password_pam_unix_no_remember
accounts_password_set_max_life_existing
accounts_password_set_warn_age_existing
accounts_password_warn_age_login_defs
diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile
index a0c73e821286..88862e80601d 100644
--- a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile
+++ b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile
@@ -21,6 +21,7 @@ accounts_password_pam_pwhistory_use_authtok
accounts_password_pam_pwquality_password_auth
accounts_password_pam_pwquality_system_auth
accounts_password_pam_unix_authtok
+accounts_password_pam_unix_no_remember
accounts_password_set_max_life_existing
accounts_password_set_warn_age_existing
accounts_password_warn_age_login_defs
diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile
index 7ec7962b67ec..02b065d0f0f1 100644
--- a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile
+++ b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile
@@ -22,6 +22,7 @@ accounts_password_pam_pwhistory_use_authtok
accounts_password_pam_pwquality_password_auth
accounts_password_pam_pwquality_system_auth
accounts_password_pam_unix_authtok
+accounts_password_pam_unix_no_remember
accounts_password_set_max_life_existing
accounts_password_set_min_life_existing
accounts_password_set_warn_age_existing
diff --git a/tests/data/profile_stability/rhel8/cis.profile b/tests/data/profile_stability/rhel8/cis.profile
index 3a736f7c1dc1..e6bbde1a9106 100644
--- a/tests/data/profile_stability/rhel8/cis.profile
+++ b/tests/data/profile_stability/rhel8/cis.profile
@@ -16,6 +16,7 @@ accounts_password_pam_minclass
accounts_password_pam_minlen
accounts_password_pam_pwhistory_remember_password_auth
accounts_password_pam_pwhistory_remember_system_auth
+accounts_password_pam_unix_no_remember
accounts_password_set_max_life_existing
accounts_password_set_warn_age_existing
accounts_password_warn_age_login_defs
diff --git a/tests/data/profile_stability/rhel8/cis_server_l1.profile b/tests/data/profile_stability/rhel8/cis_server_l1.profile
index accc1d4f4a60..c895ad5238d0 100644
--- a/tests/data/profile_stability/rhel8/cis_server_l1.profile
+++ b/tests/data/profile_stability/rhel8/cis_server_l1.profile
@@ -16,6 +16,7 @@ accounts_password_pam_minclass
accounts_password_pam_minlen
accounts_password_pam_pwhistory_remember_password_auth
accounts_password_pam_pwhistory_remember_system_auth
+accounts_password_pam_unix_no_remember
accounts_password_set_max_life_existing
accounts_password_set_warn_age_existing
accounts_password_warn_age_login_defs
diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile
index b0cfd0ea8aea..3f536cde777f 100644
--- a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile
+++ b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile
@@ -16,6 +16,7 @@ accounts_password_pam_minclass
accounts_password_pam_minlen
accounts_password_pam_pwhistory_remember_password_auth
accounts_password_pam_pwhistory_remember_system_auth
+accounts_password_pam_unix_no_remember
accounts_password_set_max_life_existing
accounts_password_set_warn_age_existing
accounts_password_warn_age_login_defs
diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile
index c4a96e2466c6..2bcf95b9a595 100644
--- a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile
+++ b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile
@@ -16,6 +16,7 @@ accounts_password_pam_minclass
accounts_password_pam_minlen
accounts_password_pam_pwhistory_remember_password_auth
accounts_password_pam_pwhistory_remember_system_auth
+accounts_password_pam_unix_no_remember
accounts_password_set_max_life_existing
accounts_password_set_warn_age_existing
accounts_password_warn_age_login_defs
diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile
index 8a203db31ce7..91062aae6c5e 100644
--- a/tests/data/profile_stability/rhel9/cis.profile
+++ b/tests/data/profile_stability/rhel9/cis.profile
@@ -17,6 +17,7 @@ accounts_password_pam_minclass
accounts_password_pam_minlen
accounts_password_pam_pwhistory_remember_password_auth
accounts_password_pam_pwhistory_remember_system_auth
+accounts_password_pam_unix_no_remember
accounts_password_set_max_life_existing
accounts_password_set_min_life_existing
accounts_password_set_warn_age_existing
diff --git a/tests/data/profile_stability/rhel9/cis_server_l1.profile b/tests/data/profile_stability/rhel9/cis_server_l1.profile
index a5dc6c89af50..69deee00db2b 100644
--- a/tests/data/profile_stability/rhel9/cis_server_l1.profile
+++ b/tests/data/profile_stability/rhel9/cis_server_l1.profile
@@ -16,6 +16,7 @@ accounts_password_pam_minclass
accounts_password_pam_minlen
accounts_password_pam_pwhistory_remember_password_auth
accounts_password_pam_pwhistory_remember_system_auth
+accounts_password_pam_unix_no_remember
accounts_password_set_max_life_existing
accounts_password_set_warn_age_existing
accounts_password_warn_age_login_defs
diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile
index fdaaa9e0cf59..14b3e6a51c26 100644
--- a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile
+++ b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile
@@ -16,6 +16,7 @@ accounts_password_pam_minclass
accounts_password_pam_minlen
accounts_password_pam_pwhistory_remember_password_auth
accounts_password_pam_pwhistory_remember_system_auth
+accounts_password_pam_unix_no_remember
accounts_password_set_max_life_existing
accounts_password_set_warn_age_existing
accounts_password_warn_age_login_defs
diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
index f00a69ab0c32..7603c675a3a9 100644
--- a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
+++ b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
@@ -17,6 +17,7 @@ accounts_password_pam_minclass
accounts_password_pam_minlen
accounts_password_pam_pwhistory_remember_password_auth
accounts_password_pam_pwhistory_remember_system_auth
+accounts_password_pam_unix_no_remember
accounts_password_set_max_life_existing
accounts_password_set_min_life_existing
accounts_password_set_warn_age_existing