Skip to content

Set number of Password Hashing Rounds - password-auth

An XCCDF Rule

Description

Configure the number or rounds for the password hashing algorithm. This can be accomplished by using the rounds option for the pam_unix PAM module.

In file /etc/pam.d/password-auth append rounds= to the pam_unix.so entry, as shown below:

password sufficient pam_unix.so ...existing_options... rounds=
The system's default number of rounds is 5000.

warning alert: Performance Warning

Setting a high number of hashing rounds makes it more difficult to brute force the password, but requires more CPU resources to authenticate users.

Rationale

Using a higher number of rounds makes password cracking attacks more difficult.

ID
xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth
Severity
Medium
References
Updated



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - accounts_password_pam_unix_rounds_password_auth
  - configure_strategy

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

var_password_pam_unix_rounds='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_password_pam_unix_rounds" use="legacy"/>'