ComplianceAsCode · teacup-on-rockingchair · Nov 27, 2025 · Nov 6, 2025 · Nov 6, 2025 · Nov 6, 2025
diff --git a/..._password_attempts/accounts_password_pam_pwhistory_remember_password_auth/oval/shared.xml b/..._password_attempts/accounts_password_pam_pwhistory_remember_password_auth/oval/shared.xml
@@ -35,7 +35,7 @@
             comment="Check the pam_pwhistory.so remember parameter is absent in password-auth file"/>
           <criterion
             test_ref="test_accounts_password_pam_pwhistory_remember_password_auth_pwhistory_conf"
-            comment="Check the remember parameter in /etc/security/pwhistory.conf"/>
+            comment="Check the remember parameter in {{{ pwhistory_path }}}"/>
         </criteria>
       </criteria>
     </criteria>
@@ -82,15 +82,15 @@
 
   <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
     id="test_accounts_password_pam_pwhistory_remember_password_auth_no_pwhistory_conf"
-    comment="Check the absence of remember parameter in /etc/security/pwhistory.conf">
+    comment="Check the absence of remember parameter in {{{ pwhistory_path }}}">
     <ind:object
       object_ref="object_accounts_password_pam_pwhistory_remember_password_auth_param_conf"/>
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object
     id="object_accounts_password_pam_pwhistory_remember_password_auth_param_conf" version="1"
-    comment="Collect the pam_pwhistory.so remember parameter from /etc/security/pwhistory.conf">
-    <ind:filepath operation="pattern match">^/etc/security/pwhistory.conf$</ind:filepath>
+    comment="Collect the pam_pwhistory.so remember parameter from {{{ pwhistory_path }}}">
+    <ind:filepath operation="pattern match">^{{{ pwhistory_path }}}$</ind:filepath>
     <ind:pattern operation="pattern match"
       var_ref="var_accounts_password_pam_pwhistory_remember_password_auth_conf_param_regex"/>
     <ind:instance datatype="int" operation="equals">1</ind:instance>
@@ -107,7 +107,7 @@
   <ind:textfilecontent54_test
     id="test_accounts_password_pam_pwhistory_remember_password_auth_pwhistory_conf" version="1"
     check="all" check_existence="all_exist"
-    comment="Check remember parameter is present and correct in /etc/security/pwhistory.conf">
+    comment="Check remember parameter is present and correct in {{{ pwhistory_path }}}">
     <ind:object object_ref="object_accounts_password_pam_pwhistory_remember_password_auth_param_conf"/>
     <ind:state state_ref="state_accounts_password_pam_pwhistory_remember_password_auth"/>
   </ind:textfilecontent54_test>

diff --git a/...ing_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/...ing_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
@@ -21,7 +21,7 @@ description: |-
 
     Otherwise, it should be enabled using an authselect custom profile.
     <br/><br/>
-    Newer systems also have the <tt>/etc/security/pwhistory.conf</tt> file for setting
+    Newer systems also have the <tt>{{{ pwhistory_path }}}</tt> file for setting
     <tt>pam_pwhistory</tt> module options. This file should be used whenever available.
     Otherwise, the <tt>pam_pwhistory</tt> module options can be set in PAM files.
     <br/><br/>
@@ -56,7 +56,7 @@ references:
 
 ocil_clause: |-
     the pam_pwhistory.so module is not used, the "remember" module option is not set in
-    /etc/pam.d/password-auth or in /etc/security/pwhistory.conf, or is set in both files, or is set
+    /etc/pam.d/password-auth or in {{{ pwhistory_path }}}, or is set in both files, or is set
     with a value less than "{{{ xccdf_value("var_password_pam_remember") }}}"
 
 ocil: |-
@@ -70,9 +70,9 @@ ocil: |-
     password {{{ xccdf_value("var_password_pam_remember_control_flag") }}} pam_pwhistory.so use_authtok remember={{{ xccdf_value("var_password_pam_remember") }}}</pre>
 
     {{% if product not in ["ol7"] %}}
-    Verify the "/etc/security/pwhistory.conf" file using the following command:
+    Verify the "{{{ pwhistory_path }}}" file using the following command:
 
-    <pre>$ grep remember /etc/security/pwhistory.conf
+    <pre>$ grep remember {{{ pwhistory_path }}}
     remember = {{{ xccdf_value("var_password_pam_remember") }}}</pre>
 
     The pam_pwhistory.so "remember" option must be configured only in one file.
@@ -89,7 +89,7 @@ fixtext: |-
     First ensure the pam_pwhistory.so module is enabled in the password section of "/etc/pam.d/password-auth":
     <pre>password {{{ xccdf_value("var_password_pam_remember_control_flag") }}} pam_pwhistory.so use_authtok</pre>
 
-    If the "/etc/security/pwhistory.conf" is present in the system, use it to set the "remember" option:
+    If the "{{{ pwhistory_path }}}" is present in the system, use it to set the "remember" option:
     <pre>remember = {{{ xccdf_value("var_password_pam_remember") }}}</pre>
 
     Otherwise, include the "remember" option in "/etc/pam.d/password-auth" file:

@@ -15,5 +15,5 @@ else
 fi
 authselect apply-changes -b
 
-> /etc/security/pwhistory.conf
-echo "remember = $remember_cnt" >> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
+echo "remember = $remember_cnt" >> {{{ pwhistory_path }}}
@@ -16,5 +16,5 @@ else
 fi
 authselect apply-changes -b
 
-> /etc/security/pwhistory.conf
-echo "remember = $remember_cnt" >> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
+echo "remember = $remember_cnt" >> {{{ pwhistory_path }}}
@@ -15,4 +15,4 @@ else
 fi
 authselect apply-changes -b
 
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
@@ -18,4 +18,4 @@ else
     fi
 fi
 authselect apply-changes -b
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
@@ -14,4 +14,4 @@ else
     sed -i --follow-symlinks '/.*pam_pwhistory\.so/d' $CUSTOM_PASSWORD_AUTH
 fi
 authselect apply-changes -b
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
@@ -11,4 +11,4 @@ if ! $(grep -q "^[^#].*pam_pwhistory\.so.*remember=" $SYSTEM_AUTH_FILE); then
 else
    sed -i --follow-symlinks "s/\(.*pam_pwhistory\.so.*remember=\)[[:digit:]]\+\s\(.*\)/\1/g" $SYSTEM_AUTH_FILE
 fi
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
@@ -16,5 +16,5 @@ else
 fi
 authselect apply-changes -b
 
-> /etc/security/pwhistory.conf
-echo "remember = $remember_cnt" >> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
+echo "remember = $remember_cnt" >> {{{ pwhistory_path }}}
@@ -15,4 +15,4 @@ else
 fi
 authselect apply-changes -b
 
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
diff --git a/...ut_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/oval/shared.xml b/...ut_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/oval/shared.xml
@@ -26,16 +26,16 @@
             comment="Check the remember parameter in password section of system-auth file"/>
           <criterion
             test_ref="test_accounts_password_pam_pwhistory_remember_system_auth_no_pwhistory_conf"
-            comment="Check the pam_pwhistory.so remember parameter is absent in pwhistory.conf"/>
+            comment="Check the pam_pwhistory.so remember parameter is absent in {{{ pwhistory_path }}}"/>
         </criteria>
         <criteria operator="AND"
-          comment="Check the pam_pwhistory.so remember parameter is only in pwhistory.conf file">
+          comment="Check the pam_pwhistory.so remember parameter is only in {{{ pwhistory_path }}} file">
           <criterion
             test_ref="test_accounts_password_pam_pwhistory_remember_system_auth_no_pamd"
             comment="Check the pam_pwhistory.so remember parameter is absent in system-auth file"/>
           <criterion
             test_ref="test_accounts_password_pam_pwhistory_remember_system_auth_pwhistory_conf"
-            comment="Check the remember parameter in /etc/security/pwhistory.conf"/>
+            comment="Check the remember parameter in {{{ pwhistory_path }}}"/>
         </criteria>
       </criteria>
     </criteria>
@@ -82,15 +82,15 @@
 
   <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
     id="test_accounts_password_pam_pwhistory_remember_system_auth_no_pwhistory_conf"
-    comment="Check the absence of remember parameter in /etc/security/pwhistory.conf">
+    comment="Check the absence of remember parameter in {{{ pwhistory_path }}}">
     <ind:object
       object_ref="object_accounts_password_pam_pwhistory_remember_system_auth_param_conf"/>
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object
     id="object_accounts_password_pam_pwhistory_remember_system_auth_param_conf" version="1"
-    comment="Collect the pam_pwhistory.so remember parameter from /etc/security/pwhistory.conf">
-    <ind:filepath operation="pattern match">^/etc/security/pwhistory.conf$</ind:filepath>
+    comment="Collect the pam_pwhistory.so remember parameter from {{{ pwhistory_path }}}">
+    <ind:filepath operation="pattern match">^{{{ pwhistory_path }}}$</ind:filepath>
     <ind:pattern operation="pattern match"
       var_ref="var_accounts_password_pam_pwhistory_remember_system_auth_conf_param_regex"/>
     <ind:instance datatype="int" operation="equals">1</ind:instance>
@@ -107,7 +107,7 @@
   <ind:textfilecontent54_test
     id="test_accounts_password_pam_pwhistory_remember_system_auth_pwhistory_conf" version="1"
     check="all" check_existence="all_exist"
-    comment="Check remember parameter is present and correct in /etc/security/pwhistory.conf">
+    comment="Check remember parameter is present and correct in {{{ pwhistory_path }}}">
     <ind:object object_ref="object_accounts_password_pam_pwhistory_remember_system_auth_param_conf"/>
     <ind:state state_ref="state_accounts_password_pam_pwhistory_remember_system_auth"/>
   </ind:textfilecontent54_test>

diff --git a/...cking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml b/...cking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml
@@ -21,7 +21,7 @@ description: |-
 
     Otherwise, it should be enabled using an authselect custom profile.
     <br/><br/>
-    Newer systems also have the <tt>/etc/security/pwhistory.conf</tt> file for setting
+    Newer systems also have the <tt>{{{ pwhistory_path }}}</tt> file for setting
     <tt>pam_pwhistory</tt> module options. This file should be used whenever available.
     Otherwise, the <tt>pam_pwhistory</tt> module options can be set in PAM files.
     <br/><br/>
@@ -56,7 +56,7 @@ references:
 
 ocil_clause: |-
     the pam_pwhistory.so module is not used, the "remember" module option is not set in
-    /etc/pam.d/system-auth or in /etc/security/pwhistory.conf, or is set in both files, or is set
+    /etc/pam.d/system-auth or in {{{ pwhistory_path }}}, or is set in both files, or is set
     with a value less than "{{{ xccdf_value("var_password_pam_remember") }}}"
 
 ocil: |-
@@ -70,9 +70,9 @@ ocil: |-
     password {{{ xccdf_value("var_password_pam_remember_control_flag") }}} pam_pwhistory.so use_authtok remember={{{ xccdf_value("var_password_pam_remember") }}}</pre>
 
     {{% if product not in ["ol7"] %}}
-    Verify the "/etc/security/pwhistory.conf" file using the following command:
+    Verify the "{{{ pwhistory_path }}}" file using the following command:
 
-    <pre>$ grep remember /etc/security/pwhistory.conf
+    <pre>$ grep remember {{{ pwhistory_path }}}
     remember = {{{ xccdf_value("var_password_pam_remember") }}}</pre>
 
     The pam_pwhistory.so "remember" option must be configured only in one file.

@@ -15,5 +15,5 @@ else
 fi
 authselect apply-changes -b
 
-> /etc/security/pwhistory.conf
-echo "remember = $remember_cnt" >> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
+echo "remember = $remember_cnt" >> {{{ pwhistory_path }}}
@@ -16,5 +16,5 @@ else
 fi
 authselect apply-changes -b
 
-> /etc/security/pwhistory.conf
-echo "remember = $remember_cnt" >> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
+echo "remember = $remember_cnt" >> {{{ pwhistory_path }}}
@@ -15,4 +15,4 @@ else
 fi
 authselect apply-changes -b
 
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
@@ -18,4 +18,4 @@ else
     fi
 fi
 authselect apply-changes -b
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
@@ -14,4 +14,4 @@ else
     sed -i --follow-symlinks '/.*pam_pwhistory\.so/d' $CUSTOM_SYSTEM_AUTH
 fi
 authselect apply-changes -b
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
@@ -11,4 +11,4 @@ if ! $(grep -q "^[^#].*pam_pwhistory\.so.*remember=" $SYSTEM_AUTH_FILE); then
 else
    sed -i --follow-symlinks "s/\(.*pam_pwhistory\.so.*remember=\)[[:digit:]]\+\s\(.*\)/\1/g" $SYSTEM_AUTH_FILE
 fi
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
@@ -16,5 +16,5 @@ else
 fi
 authselect apply-changes -b
 
-> /etc/security/pwhistory.conf
-echo "remember = $remember_cnt" >> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
+echo "remember = $remember_cnt" >> {{{ pwhistory_path }}}
@@ -15,4 +15,4 @@ else
 fi
 authselect apply-changes -b
 
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
diff --git a/...nts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml b/...nts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml
@@ -33,16 +33,16 @@
 		comment="Check the remember parameter in password section of PAM file"/>
 	    <criterion
 		test_ref="test_accounts_password_pam_unix_remember_no_pwhistory_conf"
-		comment="Check the pam_pwhistory.so remember parameter is absent in pwhistory.conf"/>
+		comment="Check the pam_pwhistory.so remember parameter is absent in {{{ pwhistory_path }}}"/>
 	  </criteria>
 	  <criteria operator="AND"
-		    comment="Check the pam_pwhistory.so remember parameter is only in pwhistory.conf file">
+		    comment="Check the pam_pwhistory.so remember parameter is only in {{{ pwhistory_path }}} file">
 	    <criterion
 		test_ref="test_accounts_password_pam_unix_remember_no_pamd"
 		comment="Check the pam_pwhistory.so remember parameter is absent in PAM file"/>
 	    <criterion
 		test_ref="test_accounts_password_pam_unix_remember_pwhistory_conf"
-		comment="Check the remember parameter in /etc/security/pwhistory.conf"/>
+		comment="Check the remember parameter in {{{ pwhistory_path }}}"/>
 	  </criteria>
 	</criteria>
       </criteria>
@@ -95,15 +95,15 @@
 
   <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
 			      id="test_accounts_password_pam_unix_remember_no_pwhistory_conf"
-			      comment="Check the absence of remember parameter in /etc/security/pwhistory.conf">
+			      comment="Check the absence of remember parameter in {{{ pwhistory_path }}}">
     <ind:object
 	object_ref="object_accounts_password_pam_unix_remember_param_conf"/>
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object
       id="object_accounts_password_pam_unix_remember_param_conf" version="1"
-      comment="Collect the pam_pwhistory.so remember parameter from /etc/security/pwhistory.conf">
-    <ind:filepath operation="pattern match">^/etc/security/pwhistory.conf$</ind:filepath>
+      comment="Collect the pam_pwhistory.so remember parameter from {{{ pwhistory_path }}}">
+    <ind:filepath operation="pattern match">^{{{ pwhistory_path }}}$</ind:filepath>
     <ind:pattern operation="pattern match"
 		 var_ref="var_accounts_password_pam_unix_remember_conf_param_regex"/>
     <ind:instance datatype="int" operation="equals">1</ind:instance>
@@ -120,7 +120,7 @@
   <ind:textfilecontent54_test
       id="test_accounts_password_pam_unix_remember_pwhistory_conf" version="1"
       check="all" check_existence="all_exist"
-      comment="Check remember parameter is present and correct in /etc/security/pwhistory.conf">
+      comment="Check remember parameter is present and correct in {{{ pwhistory_path }}}">
     <ind:object object_ref="object_accounts_password_pam_unix_remember_param_conf"/>
     <ind:state state_ref="state_accounts_password_pam_unix_remember"/>
   </ind:textfilecontent54_test>
@@ -141,7 +141,7 @@
 
   <local_variable id="var_accounts_password_pam_unix_remember_conf_param_regex"
 		  datatype="string" version="1"
-		  comment="The regex is to collect the pam_pwhistory.so remember parameter in pwhistory.conf">
+		  comment="The regex is to collect the pam_pwhistory.so remember parameter in {{{ pwhistory_path }}}">
     <literal_component>^\s*remember\s*=\s*([0-9]+)</literal_component>
   </local_variable>
 

diff --git a/...s/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/...s/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
@@ -49,8 +49,8 @@ ocil: |-
 
     {{% if product not in ["ol7"] %}}
     In newer systems, the <tt>pam_pwhistory</tt> PAM module options can also be set in
-    "/etc/security/pwhistory.conf" file. Use the following command to verify:
-    <pre>$ grep remember /etc/security/pwhistory.conf
+    "{{{ pwhistory_path }}}" file. Use the following command to verify:
+    <pre>$ grep remember {{{ pwhistory_path }}}
     remember = {{{ xccdf_value("var_password_pam_remember") }}}</pre>
 
     The pam_pwhistory <tt>remember</tt> option must be configured only in one file.
@@ -70,7 +70,7 @@ fixtext: |-
     </li>
     </ul>
     {{% if product not in ["ol7"] %}}
-    If the <tt>pam_pwhistory.so</tt> module is used and the <tt>/etc/security/pwhistory.conf</tt>
+    If the <tt>pam_pwhistory.so</tt> module is used and the <tt>{{{ pwhistory_path }}}</tt>
     file is present in the system, use it to set the "remember" option:
     <pre>remember = {{{ xccdf_value("var_password_pam_remember") }}}</pre>
 

@@ -15,5 +15,5 @@ else
 fi
 authselect apply-changes -b
 
-> /etc/security/pwhistory.conf
-echo "remember = $remember_cnt" >> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
+echo "remember = $remember_cnt" >> {{{ pwhistory_path }}}
@@ -16,5 +16,5 @@ else
 fi
 authselect apply-changes -b
 
-> /etc/security/pwhistory.conf
-echo "remember = $remember_cnt" >> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
+echo "remember = $remember_cnt" >> {{{ pwhistory_path }}}
@@ -15,4 +15,4 @@ else
 fi
 authselect apply-changes -b
 
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
@@ -18,4 +18,4 @@ else
     fi
 fi
 authselect apply-changes -b
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
@@ -14,4 +14,4 @@ else
     sed -i --follow-symlinks '/.*pam_pwhistory\.so/d' $CUSTOM_SYSTEM_AUTH
 fi
 authselect apply-changes -b
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
@@ -11,4 +11,4 @@ if ! $(grep -q "^[^#].*pam_pwhistory\.so.*remember=" $SYSTEM_AUTH_FILE); then
 else
    sed -i --follow-symlinks "s/\(.*pam_pwhistory\.so.*remember=\)[[:digit:]]\+\s\(.*\)/\1/g" $SYSTEM_AUTH_FILE
 fi
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
@@ -17,4 +17,4 @@ else
 fi
 authselect apply-changes -b
 
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
@@ -19,4 +19,4 @@ else
     sed -i --follow-symlinks "s/^(.*pam_unix\.so.*)(remember=[0-9]+)(.*)$/\1remember=$remember_cnt\3/" $CUSTOM_SYSTEM_AUTH
 fi
 authselect apply-changes -b
-> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
@@ -16,5 +16,5 @@ else
 fi
 authselect apply-changes -b
 
-> /etc/security/pwhistory.conf
-echo "remember = $remember_cnt" >> /etc/security/pwhistory.conf
+> {{{ pwhistory_path }}}
+echo "remember = $remember_cnt" >> {{{ pwhistory_path }}}