← Rules Catalog
mediumaccess-controlverified rollback-safe

Enforce password complexity rules for root account

pwquality-root-enforce · RHEL ≥ 8 · 1 impl

Description

The enforce_for_root option must be set in /etc/security/pwquality.conf to ensure that password complexity rules apply even when the root account changes its own password.

Rationale

Without enforce_for_root, the root account can bypass password complexity requirements. Requiring complex root passwords reduces the risk of root account compromise.

Check → Remediate

Checkcommand
grep -rqsE "^\s*enforce_for_root" /etc/security/pwquality.conf /etc/security/pwquality.conf.d/ 2>/dev/null
expected_exit:
0
Remediateconfig_append
path:
/etc/security/pwquality.conf
line:
enforce_for_root

Framework references

CIS

rhel9 5.3.3.2.7rhel10 5.3.2.2.7rhel8 5.3.3.2.7

STIG

V-281193 / RHEL-10-600405V-258101 / RHEL-09-611060

NIST 800-53

IA-5IA-5(1)

Live verification

rhel10:checkrhel8:checkrhel9:check
#pam#pwquality#password-complexity#root