Verify that the password history is enforced for the root account.

About this task

All hardened appliances enable enforce_for_root for the pw_history module, found in the /etc/pam.d/common-password file. The system remembers the last five passwords by default. Old passwords are stored for each user in the /etc/securetty/passwd file.

Procedure

  1. Run the following command:

    cat /etc/pam.d/common-password-vmware.local | grep pam_pwhistory.so

  2. Ensure that enforce_for_root appears in the returned results.

    password required pam_pwhistory.so enforce_for_root remember=5 retry=3