Verify that the password history is enforced for the root account.

All hardened appliances enable enforce_for_root for the pw_history module, found in the /etc/pam.d/common-password file. The system remembers the last five passwords by default. Old passwords are stored for each user in the /etc/securetty/passwd file.


  1. Run the following command:

    cat /etc/pam.d/common-password-vmware.local | grep

  2. Ensure that enforce_for_root appears in the returned results.

    password required enforce_for_root remember=5 retry=3