5.3.3.2.8 Ensure password quality is enforced for the root user

Audit

Run the following command to verify that the enforce_for_root option is enabled in a pwquality configuration file:

# grep -Psi -- '^\h*enforce_for_root\b' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf

Example output:

/etc/security/pwquality.conf.d/50-pwroot.conf:enforce_for_root

Note: - module arguments override the settings in the /etc/security/pwquality.conf configuration file - Settings observe an order of precedence: - module arguments override the settings in the /etc/security/pwquality.conf configuration file - settings in the /etc/security/pwquality.conf configuration file override settings in a .conf file in the /etc/security/pwquality.conf.d/ directory - settings in a .conf file in the /etc/security/pwquality.conf.d/ directory are read in canonical order, with last read file containing the setting taking precedence - It is recommended that settings be configured in a .conf file in the /etc/security/pwquality.conf.d/ directory for clarity, convenience, and durability.

Remediation

Edit or add the following line in a .conf* file in /etc/security/pwquality.conf.d or in /etc/security/pwquality.conf**: Example:

#!/urs/bin/env bash
{
[ ! -d /etc/security/pwquality.conf.d/ ] && mkdir /etc/security/pwquality.conf.d/
printf '\n%s\n' "enforce_for_root" > /etc/security/pwquality.conf.d/50-pwroot.conf
}

Default Value: disabled