mediumaccess-controlverified ✓rollback-safe
Ensure password history is enforced for the root user
pam-pwhistory-root · RHEL ≥ 8 · 2 impls
Description
The pam_pwhistory module should be configured to enforce password history for the root user.
Rationale
Preventing root from reusing old passwords ensures better security by requiring truly new passwords.
Check → Remediate
Checkcommand
if grep -qE 'pam_pwhistory\.so.*enforce_for_root' /etc/pam.d/system-auth 2>/dev/null || grep -qE '^\s*enforce_for_root' /etc/security/pwhistory.conf 2>/dev/null; then echo "OK: pam_pwhistory enforces history for root" exit 0 fi echo "FAIL: pam_pwhistory does not enforce history for root" exit 1
- expected_exit:
- 0
Remediateconfig_append
- path:
- /etc/security/pwhistory.conf
- line:
- enforce_for_root
Framework references
CIS
rhel9 5.3.3.3.2rhel10 5.3.2.3.2rhel8 5.3.3.3.2
NIST 800-53
IA-5
Live verification
rhel10:checkrhel9:check
#pam#password#pwhistory#root#security