The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords. Note: Additional module options may be set, recommendation only covers those listed here. Rationale: Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password.
Solution
Edit both the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the remember option and conform to site policy as shown: Note: Add or modify the line containing the pam_pwhistory.so after the first occurrence of password requisite: password required pam_pwhistory.so remember=5 Example: (Second line is modified) password requisite pam_pwquality.so try_first_pass local_users_only authtok_type= password required pam_pwhistory.so use_authtok remember=5 retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so Additional Information: This setting only applies to local accounts. This option is configured with the remember=n module option in /etc/pam.d/system-auth and /etc/pam.d/password-auth This option can be set with either one of the two following modules: pam_pwhistory.so - This is the newer recommended method included in the remediation section. pam_unix.so - This is the older method, and is included in the audit to account for legacy configurations.