diff --git a/components/pam.yml b/components/pam.yml
index c9402fce8c3..14d7501a094 100644
--- a/components/pam.yml
+++ b/components/pam.yml
@@ -54,6 +54,7 @@ rules:
- accounts_password_pam_minclass
- accounts_password_pam_minlen
- accounts_password_pam_ocredit
+- accounts_password_pam_pwhistory_enabled
- accounts_password_pam_pwhistory_remember
- accounts_password_pam_pwhistory_remember_password_auth
- accounts_password_pam_pwhistory_remember_system_auth
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/bash/shared.sh
new file mode 100644
index 00000000000..124e3df8e9b
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/bash/shared.sh
@@ -0,0 +1,22 @@
+# platform = multi_platform_ubuntu
+
+conf_name=cac_pwhistory
+conf_path="/usr/share/pam-configs"
+
+if [ ! -f "$conf_path"/"$conf_name" ]; then
+ if [ -f "$conf_path"/pwhistory ]; then
+ cp "$conf_path"/pwhistory "$conf_path"/"$conf_name"
+ sed -i '/Default: yes/a Priority: 1025\
+Conflicts: pwhistory' "$conf_path"/"$conf_name"
+ else
+ cat << EOF > "$conf_path"/"$conf_name"
+Name: pwhistory password history checking
+Default: yes
+Priority: 1024
+Password-Type: Primary
+Password: requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok
+EOF
+ fi
+fi
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/oval/shared.xml
new file mode 100644
index 00000000000..9917af95998
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/oval/shared.xml
@@ -0,0 +1,27 @@
+
+
+ {{{ oval_metadata("The passwords to remember should be set correctly.") }}}
+
+
+
+
+
+
+
+
+
+
+
+
+ /etc/pam.d/common-password
+ ^[\s]*password[\s]+((?:\[success=\d+\s+default=ignore\])|(?:requisite)|(?:required))[\s]+pam_pwhistory\.so[\s]+.*$
+ 1
+
+
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/rule.yml
new file mode 100644
index 00000000000..0de224fe1a2
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/rule.yml
@@ -0,0 +1,21 @@
+documentation_complete: true
+
+
+title: 'Ensure pam_pwhistory module is enabled'
+
+description: |-
+ The pam_pwhistory.so module saves the last passwords for each user in order to
+ force password change history and keep the user from alternating between the same
+ password too frequently.
+ This module does not work together with kerberos. In general, it does not make much
+ sense to use this module in conjunction with NIS or LDAP, since the old passwords are
+ stored on the local machine and are not available on another machine for password
+ history checking.
+
+rationale: |-
+ Use of a unique, complex passwords helps to increase the time and resources required
+ to compromise the password.
+
+severity: medium
+
+platform: package[pam]
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/commented.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/commented.fail.sh
new file mode 100644
index 00000000000..91c74a66e30
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/commented.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+config_file=/usr/share/pam-configs/tmp_pwhistory
+cat << EOF > "$config_file"
+Name: pwhistory password history checking
+Default: yes
+Priority: 1024
+Password-Type: Primary
+Password: requisite # pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+
+rm "$config_file"
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/correct.pass.sh
new file mode 100644
index 00000000000..0b6d30e3652
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/correct.pass.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+config_file=/usr/share/pam-configs/tmp_pwhistory
+cat << EOF > "$config_file"
+Name: pwhistory password history checking
+Default: yes
+Priority: 1024
+Password-Type: Primary
+Password: requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+
+rm "$config_file"
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/missing.fail.sh
new file mode 100644
index 00000000000..22496c997b5
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/missing.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+rm /usr/share/pam-configs/*pwhistory
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update