Verify that the root password meets your organization’s corporate password complexity requirements.
Validating the root password complexity is required as the root user bypasses the pam_cracklib module password complexity check that is applied to user accounts.
The account password must start with
$6$, which indicates a sha512 hash. This is the standard hash for all hardened appliances.
- To verify the hash of the root password, log in as root and run the
# more /etc/shadowcommand.
The hash information is displayed.
- If the root password does not contain a sha512 hash, run the
passwdcommand to change it.
All hardened appliances enable
enforce_for_root for the
pw_history module, found in the /etc/pam.d/common-password file. The system remembers the last five passwords by default. Old passwords are stored for each user in the /etc/securetty/passwd file.