mediumaccess-controlverified ✓rollback-safe
Enforce password complexity rules for root account
pwquality-root-enforce · RHEL ≥ 8 · 1 impl
Description
The enforce_for_root option must be set in /etc/security/pwquality.conf to ensure that password complexity rules apply even when the root account changes its own password.
Rationale
Without enforce_for_root, the root account can bypass password complexity requirements. Requiring complex root passwords reduces the risk of root account compromise.
Check → Remediate
Checkcommand
grep -rqsE "^\s*enforce_for_root" /etc/security/pwquality.conf /etc/security/pwquality.conf.d/ 2>/dev/null
- expected_exit:
- 0
Remediateconfig_append
- path:
- /etc/security/pwquality.conf
- line:
- enforce_for_root
Framework references
CIS
rhel9 5.3.3.2.7rhel10 5.3.2.2.7rhel8 5.3.3.2.7
STIG
V-281193 / RHEL-10-600405V-258101 / RHEL-09-611060
NIST 800-53
IA-5IA-5(1)
Live verification
rhel10:checkrhel8:checkrhel9:check
#pam#pwquality#password-complexity#root