4.4.2.3.3 Ensure password history is enforced for the root user

Information

If the pwhistory enforce_for_root option is enabled, the module will enforce password history for the root user as well

Requiring users not to reuse their passwords make it less likely that an attacker will be able to guess the password or use a compromised password

Note: These change only apply to accounts configured on the local system.

Solution

Edit the files /etc/pam.d/system-auth and /etc/pam.d/password-auth:

Add the following line to the password section:

password required pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok

Example password section:

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 #<- added pam_pwquality.so line
password required pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
password required pam_deny.so

Note: the use_authtok option should exist on all password lines except the first entry and the pam_deny.so line

See Also

https://workbench.cisecurity.org/benchmarks/15962

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: 4b769b2ae0cad5657845b32c0696041f0a7fdfd76b129649c0e57d6cca78ba89