Profile Applicability:
• Level 1
Description:
Enforcing password history for the root user prevents reuse of recently used passwords, enhancing the security of the most privileged account by ensuring password changes involve new and unique values.
Rationale:
Applying password history enforcement to the root account reduces the risk of password reuse attacks and strengthens overall system security by protecting the highest privilege level.
Impact:
Pros:
Enhances protection of the root account.
Supports compliance with strict security policies.
Cons:
May increase administrative overhead for root password management.
Default Value:
Password history enforcement may not be enabled for the root user by default.
Pre-requisites:
Root or sudo privileges to modify PAM configuration.
Remediation:
Test Plan:
Using Linux command line:
- Check PAM configuration files for enforcement on root user:
grep pam_pwhistory /etc/pam.d/system-auth grep pam_pwhistory /etc/pam.d/common-password
Verify the presence of enforce_for_root option in the pam_pwhistory module configuration.
Implementation Plan:
Using Linux command line:
1. Edit PAM password configuration file:
vi /etc/pam.d/system-auth
2. Ensure the line enabling pam_pwhistory includes enforce_for_root:
password required pam_pwhistory.so use_authok remember=5 enforce_for_root
3. Save the file.
Backout Plan:
Using Linux command line:
Remove the enforce_for_root option if necessary.
Test password changes to confirm behavior.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
pam_pwhistory Documentation