NixOS must store only encrypted representations of passwords.

An XCCDF Rule

Details
Profiles

Description

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.

ID: SV-268130r1039278_rule
Version: ANIX-00-000770
Severity: High
References: CCI-004062
Updated: about 2 months ago

Remediation Templates

Configure NixOS to store only encrypted representations of passwords. 

Add/modify /etc/nixos/configuration.nix to include the following lines:

environment.etc."login.defs".text = pkgs.lib.mkForce ''
ENCRYPT_METHOD SHA256'';

Rebuild the system with the following command:

$ sudo nixos-rebuild switch

NixOS must store only encrypted representations of passwords.

Description

Remediation Templates

A Manual Procedure