← Rules Catalog
mediumaccess-controlverified rollback-safe

Ensure password history is enforced for the root user

pam-pwhistory-root · RHEL ≥ 8 · 2 impls

Description

The pam_pwhistory module should be configured to enforce password history for the root user.

Rationale

Preventing root from reusing old passwords ensures better security by requiring truly new passwords.

Check → Remediate

Checkcommand
if grep -qE 'pam_pwhistory\.so.*enforce_for_root' /etc/pam.d/system-auth 2>/dev/null ||
   grep -qE '^\s*enforce_for_root' /etc/security/pwhistory.conf 2>/dev/null; then
  echo "OK: pam_pwhistory enforces history for root"
  exit 0
fi
echo "FAIL: pam_pwhistory does not enforce history for root"
exit 1
expected_exit:
0
Remediateconfig_append
path:
/etc/security/pwhistory.conf
line:
enforce_for_root

Framework references

CIS

rhel9 5.3.3.3.2rhel10 5.3.2.3.2rhel8 5.3.3.3.2

NIST 800-53

IA-5

Live verification

rhel10:checkrhel9:check
#pam#password#pwhistory#root#security