Ensure Password History Is Enforced for the Root User

Docs > Plateforme de sécurité Datadog > OOTB Rules > Ensure Password History Is Enforced for the Root User

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

The enforce_for_root option enforces password history for the root user. Enable the enforce_for_root setting in /etc/security/pwhistory.conf to require the root user to use a password that has not been used recently.

Rationale

Requiring users not to reuse their passwords make it less likely that an attacker will be able to guess the password or use a compromised password.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-core && { rpm --quiet -q pam; }; then

if [ -e "/etc/security/pwhistory.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*enforce_for_root/Id" "/etc/security/pwhistory.conf"
else
    touch "/etc/security/pwhistory.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/security/pwhistory.conf"

cp "/etc/security/pwhistory.conf" "/etc/security/pwhistory.conf.bak"
# Insert at the end of the file
printf '%s\n' "enforce_for_root" >> "/etc/security/pwhistory.conf"
# Clean up after ourselves.
rm "/etc/security/pwhistory.conf.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-87591-4
  - accounts_password_pam_pwhistory_enforce_for_root
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure Password History Is Enforced for the Root User
  ansible.builtin.lineinfile:
    path: /etc/security/pwhistory.conf
    create: true
    regexp: ''
    line: enforce_for_root
    state: present
  when:
  - '"kernel-core" in ansible_facts.packages'
  - '"pam" in ansible_facts.packages'
  tags:
  - CCE-87591-4
  - accounts_password_pam_pwhistory_enforce_for_root
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy