diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/bash/ubuntu.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/bash/ubuntu.sh
new file mode 100644
index 00000000000..80cd705f724
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/bash/ubuntu.sh
@@ -0,0 +1,13 @@
+# platform = multi_platform_ubuntu
+
+{{{ bash_pam_pwhistory_enable('cac_pwhistory','requisite') }}}
+conf_file=/usr/share/pam-configs/cac_pwhistory
+if ! grep -qE 'pam_pwhistory\.so\s+[^#]*\benforce_for_root\b' "$conf_file"; then
+ sed -i -E '/^Password:/,/^[^[:space:]]/ {
+ /pam_pwhistory\.so/ {
+ s/$/ enforce_for_root/g
+ }
+ }' "$conf_file"
+fi
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable cac_pwhistory
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/oval/shared.xml
new file mode 100644
index 00000000000..21b23ab85f9
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/oval/shared.xml
@@ -0,0 +1,52 @@
+{{% if "sle12" in product or "debian" in product or "ubuntu" in product %}}
+{{%- set accounts_password_pam_file = '/etc/pam.d/common-password' -%}}
+{{% else %}}
+{{%- set accounts_password_pam_file = '/etc/pam.d/system-auth' -%}}
+{{% endif %}}
+
+
+
+ {{{ oval_metadata("Enforce password history for root of pam_pwhistory.") }}}
+
+
+
+
+
+
+
+
+
+
+
+
+ {{{ accounts_password_pam_file }}}
+
+ 1
+
+
+
+
+ ^\s*password\s+(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))\s+pam_pwhistory\.so.*$
+
+
+
+
+
+
+
+
+ {{{ accounts_password_pam_file }}}
+ ^\s*password\s+(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))\s+pam_pwhistory\.so\s+[^#]*\benforce_for_root\b.*$
+ 1
+
+
+
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/rule.yml
new file mode 100644
index 00000000000..4d3b37d621c
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/rule.yml
@@ -0,0 +1,18 @@
+documentation_complete: true
+
+
+title: 'Limit Password Reuse'
+
+description: |-
+ Do not allow root to reuse recent passwords. This can be
+ accomplished by using the enforce_for_root option for the
+ pam_pwhistory PAM modules.
+
+ In the file /etc/pam.d/common-password, make sure the parameters
+ enforce_for_root is present.
+
+rationale: 'Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.'
+
+severity: medium
+
+platform: package[pam]
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/tests/ubuntu_argument_missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/tests/ubuntu_argument_missing.fail.sh
new file mode 100644
index 00000000000..48679604fd9
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/tests/ubuntu_argument_missing.fail.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+
+config_file=/usr/share/pam-configs/tmp_pwhistory
+
+cat << EOF > "$config_file"
+Name: pwhistory password history checking
+Default: yes
+Priority: 1024
+Password-Type: Primary
+Password: requisite pam_pwhistory.so try_first_pass use_authtok
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_pwhistory
+rm "$config_file"
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/tests/ubuntu_commented_argument.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/tests/ubuntu_commented_argument.fail.sh
new file mode 100644
index 00000000000..9384286e588
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/tests/ubuntu_commented_argument.fail.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+
+config_file=/usr/share/pam-configs/tmp_pwhistory
+
+cat << EOF > "$config_file"
+Name: pwhistory password history checking
+Default: yes
+Priority: 1024
+Password-Type: Primary
+Password: requisite pam_pwhistory.so remember=6 try_first_pass use_authtok # enforce_for_root
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_pwhistory
+rm "$config_file"
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/tests/ubuntu_correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/tests/ubuntu_correct_value.pass.sh
new file mode 100644
index 00000000000..43bab19b4af
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/tests/ubuntu_correct_value.pass.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+
+config_file=/usr/share/pam-configs/tmp_pwhistory
+
+cat << EOF > "$config_file"
+Name: pwhistory password history checking
+Default: yes
+Priority: 1024
+Password-Type: Primary
+Password: requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_pwhistory
+rm "$config_file"