---
title: Ensure Password History Is Enforced for the Root User
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Ensure Password History Is Enforced for
  the Root User
---

# Ensure Password History Is Enforced for the Root User
 
## Description{% #description %}

The `enforce_for_root` option enforces password history for the root user. Enable the `enforce_for_root` setting in `/etc/security/pwhistory.conf` to require the `root` user to use a password that has not been used recently.

## Rationale{% #rationale %}

Requiring users not to reuse their passwords make it less likely that an attacker will be able to guess the password or use a compromised password.

## Remediation{% #remediation %}

### Shell script{% #shell-script %}

The following script can be run on the host to remediate the issue.

```bash
#!/bin/bash

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-core && { rpm --quiet -q pam; }; then

if [ -e "/etc/security/pwhistory.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*enforce_for_root/Id" "/etc/security/pwhistory.conf"
else
    touch "/etc/security/pwhistory.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/security/pwhistory.conf"

cp "/etc/security/pwhistory.conf" "/etc/security/pwhistory.conf.bak"
# Insert at the end of the file
printf '%s\n' "enforce_for_root" >> "/etc/security/pwhistory.conf"
# Clean up after ourselves.
rm "/etc/security/pwhistory.conf.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi
```

### Ansible playbook{% #ansible-playbook %}

The following playbook can be run with Ansible to remediate the issue.

```go
- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-87591-4
  - accounts_password_pam_pwhistory_enforce_for_root
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure Password History Is Enforced for the Root User
  ansible.builtin.lineinfile:
    path: /etc/security/pwhistory.conf
    create: true
    regexp: ''
    line: enforce_for_root
    state: present
  when:
  - '"kernel-core" in ansible_facts.packages'
  - '"pam" in ansible_facts.packages'
  tags:
  - CCE-87591-4
  - accounts_password_pam_pwhistory_enforce_for_root
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
```