Ensure Password History Is Enforced for the Root User
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Description
The enforce_for_root option enforces password history for the root user.
Enable the enforce_for_root setting in /etc/security/pwhistory.conf
to require the root user to use a password that has not been used recently.
Rationale
Requiring users not to reuse their passwords make it less likely that an attacker will be
able to guess the password or use a compromised password.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-core && { rpm --quiet -q pam; }; then
if [ -e "/etc/security/pwhistory.conf" ] ; then
LC_ALL=C sed -i "/^\s*enforce_for_root/Id" "/etc/security/pwhistory.conf"
else
touch "/etc/security/pwhistory.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/security/pwhistory.conf"
cp "/etc/security/pwhistory.conf" "/etc/security/pwhistory.conf.bak"
# Insert at the end of the file
printf '%s\n' "enforce_for_root" >> "/etc/security/pwhistory.conf"
# Clean up after ourselves.
rm "/etc/security/pwhistory.conf.bak"
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-87591-4
- accounts_password_pam_pwhistory_enforce_for_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure Password History Is Enforced for the Root User
ansible.builtin.lineinfile:
path: /etc/security/pwhistory.conf
create: true
regexp: ''
line: enforce_for_root
state: present
when:
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
tags:
- CCE-87591-4
- accounts_password_pam_pwhistory_enforce_for_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
