Verify that the password history is enforced for the root account.
All hardened appliances enable
enforce_for_root for the pw_history module, found in the /etc/pam.d/common-password file. The system remembers the last five passwords by default. Old passwords are stored for each user in the /etc/securetty/passwd file.
- Run the following command:
cat /etc/pam.d/common-password-vmware.local | grep pam_pwhistory.so
- Ensure that
enforce_for_rootappears in the returned results.
password required pam_pwhistory.so enforce_for_root remember=5 retry=3