ComplianceAsCode · Mab879 · Dec 3, 2025 · Dec 2, 2025 · Dec 2, 2025 · Dec 2, 2025
@@ -2106,13 +2106,14 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: pending
+      status: automated
       notes: |-
           Usage of pam_unix.so module together with "remember" option is deprecated and is not
-          recommened by this policy. Instead, it should be used remember option of pam_pwhistory
-          module, as required in 5.3.3.3.1. See here for more details about pam_unix.so:
+          recommended by this policy. Instead, it should be used remember option of pam_pwhistory
+          module, as required in 5.3.2.3.1. See here for more details about pam_unix.so:
           https://bugzilla.redhat.com/show_bug.cgi?id=1778929
-          A new rule needs to be created to remove the remember option from pam_unix module.
+      rules:
+          - accounts_password_pam_unix_no_remember
 
     - id: 5.3.2.4.3
       title: Ensure pam_unix includes a strong password hashing algorithm (Automated)

@@ -1991,13 +1991,14 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: pending
+      status: automated
       notes: |-
           Usage of pam_unix.so module together with "remember" option is deprecated and is not
-          recommened by this policy. Instead, it should be used remember option of pam_pwhistory
+          recommended by this policy. Instead, it should be used remember option of pam_pwhistory
           module, as required in 4.4.3.3.1. See here for more details about pam_unix.so:
           https://bugzilla.redhat.com/show_bug.cgi?id=1778929
-          A new rule needs to be created to remove the remember option from pam_unix module.
+      rules:
+          - accounts_password_pam_unix_no_remember
 
     - id: 4.4.3.4.3
       title: Ensure pam_unix includes a strong password hashing algorithm (Automated)

diff --git a/...s-restrictions/password_storage/accounts_password_pam_unix_no_remember/ansible/shared.yml b/...s-restrictions/password_storage/accounts_password_pam_unix_no_remember/ansible/shared.yml
@@ -0,0 +1,18 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_almalinux,multi_platform_ubuntu
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = medium
+
+{{% if 'ubuntu' in product or 'debian' in product %}}
+{{%- set pam_config_paths = "['/etc/pam.d/common-password', '/etc/pam.d/common-auth', '/etc/pam.d/common-account', '/etc/pam.d/common-session', '/etc/pam.d/common-session-noninteractive']" %}}
+{{% else %}}
+{{%- set pam_config_paths = "['/etc/pam.d/system-auth', '/etc/pam.d/password-auth']" -%}}
+{{% endif %}}
+
+- name: '{{{ rule_title }}} - Remove remember option from pam_unix.so'
+  ansible.builtin.replace:
+    dest: "{{ item }}"
+    regexp: '(\s+pam_unix\.so.*)\s+remember=\d+\b(.*)'
+    replace: '\1\2'
+  loop: {{{ pam_config_paths }}}
diff --git a/...ounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/bash/shared.sh b/...ounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/bash/shared.sh
@@ -1,9 +1,11 @@
-# platform = multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_almalinux,multi_platform_ubuntu
 # reboot = false
 # strategy = configure
 # complexity = low
 # disruption = medium
 
+{{% if 'ubuntu' in product or 'debian' in product %}}
+# Debian-based systems: Use pam-auth-update
 {{{ bash_pam_unix_enable() }}}
 config_file="/usr/share/pam-configs/cac_unix"
 sed -i -E '/^Password(-Initial)?:/,/^[^[:space:]]/ {
@@ -13,3 +15,13 @@ sed -i -E '/^Password(-Initial)?:/,/^[^[:space:]]/ {
 }' "$config_file"
 
 DEBIAN_FRONTEND=noninteractive pam-auth-update
+{{% else %}}
+# RHEL-based systems: Use authselect-aware approach
+if [ -f /usr/bin/authselect ]; then
+    {{{ bash_remove_pam_module_option_configuration('/etc/pam.d/system-auth', 'password', '', 'pam_unix.so', 'remember') }}}
+    {{{ bash_remove_pam_module_option_configuration('/etc/pam.d/password-auth', 'password', '', 'pam_unix.so', 'remember') }}}
+else
+    {{{ bash_remove_pam_module_option('/etc/pam.d/system-auth', 'password', '', 'pam_unix.so', 'remember') }}}
+    {{{ bash_remove_pam_module_option('/etc/pam.d/password-auth', 'password', '', 'pam_unix.so', 'remember') }}}
+fi
+{{% endif %}}
diff --git a/...unts-restrictions/password_storage/accounts_password_pam_unix_no_remember/oval/shared.xml b/...unts-restrictions/password_storage/accounts_password_pam_unix_no_remember/oval/shared.xml
@@ -12,7 +12,11 @@
     <ind:object object_ref="object_pam_unix_no_remember" />
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_pam_unix_no_remember" version="1">
+{{% if 'ubuntu' in product or 'debian' in product %}}
     <ind:filepath operation="pattern match">^/etc/pam.d/common-(password|auth|account|session|session-noninteractive)$</ind:filepath>
+{{% else %}}
+    <ind:filepath operation="pattern match">^/etc/pam.d/(system|password)-auth$</ind:filepath>
+{{% endif %}}
     <ind:pattern operation="pattern match">^\s*password\s+(?:(?:sufficient)|(?:required)|(?:\[.*\]))\s+pam_unix\.so[^#]+\bremember=\d+\b.*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>

diff --git a/...ts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/rule.yml b/...ts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/rule.yml
@@ -9,13 +9,48 @@ description: |-
     module should be used. This module also stores the last n passwords in <tt>/etc/security/opasswd</tt>
     and it uses the password hash algorithm configured in the pam_unix module, such as yescrypt or SHA512,
     offering enhanced security.
+    {{% if 'ubuntu' in product or 'debian' in product %}}
+    <br/><br/>
+    On Debian-based systems, the <tt>remember</tt> option should be removed from the PAM configuration
+    in <tt>/etc/pam.d/common-*</tt> files.
+    {{% else %}}
+    <br/><br/>
+    The <tt>remember</tt> option should be removed from the PAM configuration
+    in <tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt> files.
+    {{% endif %}}
 
 rationale: |-
     Removing the <tt>remember</tt> argument ensures the use of a stronger password hashing algorithm.
     A more robust hash algorithm increases the difficulty for attackers to crack stored
     passwords in <tt>/etc/security/opasswd</tt>, thereby improving system security and
-    protecting user credentials. 
+    protecting user credentials.
 
 severity: medium
 
+identifiers:
+    cce@rhel8: CCE-90728-7
+    cce@rhel9: CCE-90726-1
+    cce@rhel10: CCE-90725-3
+
 platform: package[pam]
+
+warnings:
+    - general: |-
+        If the system relies on <tt>authselect</tt> tool to manage PAM settings, the remediation
+        will also use <tt>authselect</tt> tool. However, if any manual modification was made in
+        PAM files, the <tt>authselect</tt> integrity check will fail and the remediation will be
+        aborted in order to preserve intentional changes. In this case, an informative message will
+        be shown in the remediation report.
+
+ocil_clause: 'the remember option is found in pam_unix.so configuration'
+
+ocil: |-
+    To verify that the <tt>remember</tt> option is not present in <tt>pam_unix.so</tt> configuration,
+    run the following command:
+    {{% if 'ubuntu' in product or 'debian' in product %}}
+    <pre>$ grep -rE "^\s*password\s+.*pam_unix\.so.*\bremember=" /etc/pam.d/common-*</pre>
+    {{% else %}}
+    <pre>$ grep -E "^\s*password\s+.*pam_unix\.so.*\bremember=" /etc/pam.d/system-auth /etc/pam.d/password-auth</pre>
+    {{% endif %}}
+    The command should not return any output. If any lines are returned, it means the <tt>remember</tt>
+    option is configured in <tt>pam_unix.so</tt>, which is not compliant with this requirement.
@@ -0,0 +1,16 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux
+# packages = pam
+
+# Ensure system-auth and password-auth don't have remember option
+sed -i --follow-symlinks '/pam_unix\.so.*remember=/d' /etc/pam.d/system-auth
+sed -i --follow-symlinks '/pam_unix\.so.*remember=/d' /etc/pam.d/password-auth
+
+# Add a clean pam_unix.so line without remember if it doesn't exist
+if ! grep -q "^password.*pam_unix\.so" /etc/pam.d/system-auth; then
+    echo "password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok" >> /etc/pam.d/system-auth
+fi
+
+if ! grep -q "^password.*pam_unix\.so" /etc/pam.d/password-auth; then
+    echo "password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok" >> /etc/pam.d/password-auth
+fi
@@ -0,0 +1,15 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux
+# packages = pam
+
+# Commented lines should pass (comments are ignored)
+sed -i --follow-symlinks '/pam_unix\.so.*remember=/d' /etc/pam.d/system-auth
+sed -i --follow-symlinks '/pam_unix\.so.*remember=/d' /etc/pam.d/password-auth
+
+# Add commented line with remember (should be ignored)
+echo "# password    sufficient    pam_unix.so sha512 shadow remember=5" >> /etc/pam.d/system-auth
+echo "# password    sufficient    pam_unix.so sha512 shadow remember=5" >> /etc/pam.d/password-auth
+
+# Add clean active lines without remember
+echo "password    sufficient    pam_unix.so sha512 shadow" >> /etc/pam.d/system-auth
+echo "password    sufficient    pam_unix.so sha512 shadow" >> /etc/pam.d/password-auth
@@ -0,0 +1,12 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux
+# packages = pam
+
+# Add remember option to password-auth (should fail)
+if grep -q "^password.*pam_unix\.so" /etc/pam.d/password-auth; then
+    # If pam_unix.so line exists, add remember option
+    sed -i --follow-symlinks 's/\(^password.*pam_unix\.so.*\)/\1 remember=5/' /etc/pam.d/password-auth
+else
+    # If no pam_unix.so line exists, add one with remember
+    echo "password    sufficient    pam_unix.so sha512 shadow remember=5" >> /etc/pam.d/password-auth
+fi
@@ -0,0 +1,12 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux
+# packages = pam
+
+# Add remember option to system-auth (should fail)
+if grep -q "^password.*pam_unix\.so" /etc/pam.d/system-auth; then
+    # If pam_unix.so line exists, add remember option
+    sed -i --follow-symlinks 's/\(^password.*pam_unix\.so.*\)/\1 remember=5/' /etc/pam.d/system-auth
+else
+    # If no pam_unix.so line exists, add one with remember
+    echo "password    sufficient    pam_unix.so sha512 shadow remember=5" >> /etc/pam.d/system-auth
+fi
@@ -2035,13 +2035,14 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: pending
+      status: automated
       notes: |-
           Usage of pam_unix.so module together with "remember" option is deprecated and is not
-          recommened by this policy. Instead, it should be used remember option of pam_pwhistory
+          recommended by this policy. Instead, it should be used remember option of pam_pwhistory
           module, as required in 5.3.3.3.1. See here for more details about pam_unix.so:
           https://bugzilla.redhat.com/show_bug.cgi?id=1778929
-          A new rule needs to be created to remove the remember option from pam_unix module.
+      rules:
+          - accounts_password_pam_unix_no_remember
 
     - id: 5.3.3.4.3
       title: Ensure pam_unix includes a strong password hashing algorithm (Automated)

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -2421,6 +2421,3 @@ CCE-90720-4
 CCE-90721-2
 CCE-90722-0
 CCE-90723-8
-CCE-90725-3
-CCE-90726-1
-CCE-90728-7
@@ -22,6 +22,7 @@ accounts_password_pam_pwhistory_use_authtok
 accounts_password_pam_pwquality_password_auth
 accounts_password_pam_pwquality_system_auth
 accounts_password_pam_unix_authtok
+accounts_password_pam_unix_no_remember
 accounts_password_set_max_life_existing
 accounts_password_set_min_life_existing
 accounts_password_set_warn_age_existing

@@ -21,6 +21,7 @@ accounts_password_pam_pwhistory_use_authtok
 accounts_password_pam_pwquality_password_auth
 accounts_password_pam_pwquality_system_auth
 accounts_password_pam_unix_authtok
+accounts_password_pam_unix_no_remember
 accounts_password_set_max_life_existing
 accounts_password_set_warn_age_existing
 accounts_password_warn_age_login_defs

@@ -21,6 +21,7 @@ accounts_password_pam_pwhistory_use_authtok
 accounts_password_pam_pwquality_password_auth
 accounts_password_pam_pwquality_system_auth
 accounts_password_pam_unix_authtok
+accounts_password_pam_unix_no_remember
 accounts_password_set_max_life_existing
 accounts_password_set_warn_age_existing
 accounts_password_warn_age_login_defs

@@ -22,6 +22,7 @@ accounts_password_pam_pwhistory_use_authtok
 accounts_password_pam_pwquality_password_auth
 accounts_password_pam_pwquality_system_auth
 accounts_password_pam_unix_authtok
+accounts_password_pam_unix_no_remember
 accounts_password_set_max_life_existing
 accounts_password_set_min_life_existing
 accounts_password_set_warn_age_existing

@@ -16,6 +16,7 @@ accounts_password_pam_minclass
 accounts_password_pam_minlen
 accounts_password_pam_pwhistory_remember_password_auth
 accounts_password_pam_pwhistory_remember_system_auth
+accounts_password_pam_unix_no_remember
 accounts_password_set_max_life_existing
 accounts_password_set_warn_age_existing
 accounts_password_warn_age_login_defs

@@ -16,6 +16,7 @@ accounts_password_pam_minclass
 accounts_password_pam_minlen
 accounts_password_pam_pwhistory_remember_password_auth
 accounts_password_pam_pwhistory_remember_system_auth
+accounts_password_pam_unix_no_remember
 accounts_password_set_max_life_existing
 accounts_password_set_warn_age_existing
 accounts_password_warn_age_login_defs

@@ -16,6 +16,7 @@ accounts_password_pam_minclass
 accounts_password_pam_minlen
 accounts_password_pam_pwhistory_remember_password_auth
 accounts_password_pam_pwhistory_remember_system_auth
+accounts_password_pam_unix_no_remember
 accounts_password_set_max_life_existing
 accounts_password_set_warn_age_existing
 accounts_password_warn_age_login_defs

@@ -16,6 +16,7 @@ accounts_password_pam_minclass
 accounts_password_pam_minlen
 accounts_password_pam_pwhistory_remember_password_auth
 accounts_password_pam_pwhistory_remember_system_auth
+accounts_password_pam_unix_no_remember
 accounts_password_set_max_life_existing
 accounts_password_set_warn_age_existing
 accounts_password_warn_age_login_defs

@@ -17,6 +17,7 @@ accounts_password_pam_minclass
 accounts_password_pam_minlen
 accounts_password_pam_pwhistory_remember_password_auth
 accounts_password_pam_pwhistory_remember_system_auth
+accounts_password_pam_unix_no_remember
 accounts_password_set_max_life_existing
 accounts_password_set_min_life_existing
 accounts_password_set_warn_age_existing

@@ -16,6 +16,7 @@ accounts_password_pam_minclass
 accounts_password_pam_minlen
 accounts_password_pam_pwhistory_remember_password_auth
 accounts_password_pam_pwhistory_remember_system_auth
+accounts_password_pam_unix_no_remember
 accounts_password_set_max_life_existing
 accounts_password_set_warn_age_existing
 accounts_password_warn_age_login_defs

@@ -16,6 +16,7 @@ accounts_password_pam_minclass
 accounts_password_pam_minlen
 accounts_password_pam_pwhistory_remember_password_auth
 accounts_password_pam_pwhistory_remember_system_auth
+accounts_password_pam_unix_no_remember
 accounts_password_set_max_life_existing
 accounts_password_set_warn_age_existing
 accounts_password_warn_age_login_defs

@@ -17,6 +17,7 @@ accounts_password_pam_minclass
 accounts_password_pam_minlen
 accounts_password_pam_pwhistory_remember_password_auth
 accounts_password_pam_pwhistory_remember_system_auth
+accounts_password_pam_unix_no_remember
 accounts_password_set_max_life_existing
 accounts_password_set_min_life_existing
 accounts_password_set_warn_age_existing