On 11/12/13, 10:38 PM, Frank Caviggia wrote:
Shawn,

This should be a little bit better of a match to what you wanted for the password use remediation.

-Frank

0001-accounts_password_reuse_limit.sh-remediation.patch

From c6bd643edc3f9504172225d6a0fce9771a6e1a77 Mon Sep 17 00:00:00 2001
From: Frank Caviggia <fcaviggi@redhat.com>
Date: Tue, 12 Nov 2013 22:35:19 -0500
Subject: [PATCH] accounts_password_reuse_limit.sh remediation

Signed-off-by: Frank Caviggia <fcaviggi@redhat.com>
---
 RHEL6/input/fixes/bash/accounts_password_reuse_limit.sh | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 RHEL6/input/fixes/bash/accounts_password_reuse_limit.sh

diff --git a/RHEL6/input/fixes/bash/accounts_password_reuse_limit.sh b/RHEL6/input/fixes/bash/accounts_password_reuse_limit.sh
new file mode 100644
index 0000000..e278e54
--- /dev/null
+++ b/RHEL6/input/fixes/bash/accounts_password_reuse_limit.sh
@@ -0,0 +1,8 @@
+source ./templates/support.sh
+populate var_password_history_retain_limit
+
+if [ `grep -c 'remember=' /etc/pam.d/system-auth` -eq 0 ]; then
+	sed 's/^\s*password.*pam_unix\.so.*/& remember=$var_password_history_retain_limit/' /etc/pam.d/system-auth
+else
+	sed 's/remember=[0-9]*/remember=$var_password_history_retain_limit/' /etc/pam.d/system-auth
+fi

-- 
1.8.3.1

I quickly tested with system-auth containing, and not, remember=. This is a great start!

Three things remain:

- sed -i ;)

- The variable isn't being expanded when the script is ran, I get:
# bash accounts_password_reuse_limit.sh
.......
password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok remember=$var_password_history_retain_limit
password    sufficient    pam_sss.so use_authtok

- What if "password pam_unix.so" isn't present?