Add rule accounts_password_pam_pwhistory_enforce_for_root

jan-cerny · jan-cerny · commit a92f4e94dc8c · 2025-12-28T17:34:10.000+01:00
Add rule accounts_password_pam_pwhistory_enforce_for_root to RHEL 8 CIS and RHEL 9 CIS profile. This rule is already selected in RHEL 10 CIS profile. Resolves: https://issues.redhat.com/browse/RHEL-125396
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_for_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_for_root/rule.yml
@@ -12,6 +12,8 @@ rationale: |-
     able to guess the password or use a compromised password.
 
 identifiers:
+    cce@rhel8: CCE-86734-1
+    cce@rhel9: CCE-86742-4
     cce@rhel10: CCE-87591-4
 
 severity: medium
diff --git a/products/rhel8/controls/cis_rhel8.yml b/products/rhel8/controls/cis_rhel8.yml
@@ -1955,10 +1955,9 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: planned
-      notes: |-
-          A new rule needs to be created to check and remediate the enforce_for_root option in
-          /etc/security/pwhistory.conf. accounts_password_pam_enforce_root can be used as reference.
+      status: automated
+      rules:
+          - accounts_password_pam_pwhistory_enforce_for_root
 
     - id: 4.4.3.3.3
       title: Ensure pam_pwhistory includes use_authtok (Automated)
diff --git a/products/rhel9/controls/cis_rhel9.yml b/products/rhel9/controls/cis_rhel9.yml
@@ -2000,10 +2000,9 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: planned
-      notes: |-
-          A new rule needs to be created to check and remediate the enforce_for_root option in
-          /etc/security/pwhistory.conf. accounts_password_pam_enforce_root can be used as reference.
+      status: automated
+      rules:
+          - accounts_password_pam_pwhistory_enforce_for_root
 
     - id: 5.3.3.3.3
       title: Ensure pam_pwhistory includes use_authtok (Automated)
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -73,8 +73,6 @@ CCE-86713-5
 CCE-86726-7
 CCE-86728-3
 CCE-86730-9
-CCE-86734-1
-CCE-86742-4
 CCE-86743-2
 CCE-86745-7
 CCE-86752-3
diff --git a/tests/data/profile_stability/rhel8/cis.profile b/tests/data/profile_stability/rhel8/cis.profile
@@ -14,6 +14,7 @@ accounts_password_pam_maxrepeat
 accounts_password_pam_maxsequence
 accounts_password_pam_minclass
 accounts_password_pam_minlen
+accounts_password_pam_pwhistory_enforce_for_root
 accounts_password_pam_pwhistory_remember_password_auth
 accounts_password_pam_pwhistory_remember_system_auth
 accounts_password_pam_unix_no_remember
diff --git a/tests/data/profile_stability/rhel8/cis_server_l1.profile b/tests/data/profile_stability/rhel8/cis_server_l1.profile
@@ -14,6 +14,7 @@ accounts_password_pam_maxrepeat
 accounts_password_pam_maxsequence
 accounts_password_pam_minclass
 accounts_password_pam_minlen
+accounts_password_pam_pwhistory_enforce_for_root
 accounts_password_pam_pwhistory_remember_password_auth
 accounts_password_pam_pwhistory_remember_system_auth
 accounts_password_pam_unix_no_remember
diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile
@@ -14,6 +14,7 @@ accounts_password_pam_maxrepeat
 accounts_password_pam_maxsequence
 accounts_password_pam_minclass
 accounts_password_pam_minlen
+accounts_password_pam_pwhistory_enforce_for_root
 accounts_password_pam_pwhistory_remember_password_auth
 accounts_password_pam_pwhistory_remember_system_auth
 accounts_password_pam_unix_no_remember
diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile
@@ -14,6 +14,7 @@ accounts_password_pam_maxrepeat
 accounts_password_pam_maxsequence
 accounts_password_pam_minclass
 accounts_password_pam_minlen
+accounts_password_pam_pwhistory_enforce_for_root
 accounts_password_pam_pwhistory_remember_password_auth
 accounts_password_pam_pwhistory_remember_system_auth
 accounts_password_pam_unix_no_remember
diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile
@@ -15,6 +15,7 @@ accounts_password_pam_maxrepeat
 accounts_password_pam_maxsequence
 accounts_password_pam_minclass
 accounts_password_pam_minlen
+accounts_password_pam_pwhistory_enforce_for_root
 accounts_password_pam_pwhistory_remember_password_auth
 accounts_password_pam_pwhistory_remember_system_auth
 accounts_password_pam_unix_no_remember
diff --git a/tests/data/profile_stability/rhel9/cis_server_l1.profile b/tests/data/profile_stability/rhel9/cis_server_l1.profile
@@ -14,6 +14,7 @@ accounts_password_pam_maxrepeat
 accounts_password_pam_maxsequence
 accounts_password_pam_minclass
 accounts_password_pam_minlen
+accounts_password_pam_pwhistory_enforce_for_root
 accounts_password_pam_pwhistory_remember_password_auth
 accounts_password_pam_pwhistory_remember_system_auth
 accounts_password_pam_unix_no_remember
diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile
@@ -14,6 +14,7 @@ accounts_password_pam_maxrepeat
 accounts_password_pam_maxsequence
 accounts_password_pam_minclass
 accounts_password_pam_minlen
+accounts_password_pam_pwhistory_enforce_for_root
 accounts_password_pam_pwhistory_remember_password_auth
 accounts_password_pam_pwhistory_remember_system_auth
 accounts_password_pam_unix_no_remember
diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
@@ -15,6 +15,7 @@ accounts_password_pam_maxrepeat
 accounts_password_pam_maxsequence
 accounts_password_pam_minclass
 accounts_password_pam_minlen
+accounts_password_pam_pwhistory_enforce_for_root
 accounts_password_pam_pwhistory_remember_password_auth
 accounts_password_pam_pwhistory_remember_system_auth
 accounts_password_pam_unix_no_remember
