Set Password Hashing Rounds in /etc/login.defs
An XCCDF Rule
Description
In /etc/login.defs
, ensure SHA_CRYPT_MIN_ROUNDS
and
SHA_CRYPT_MAX_ROUNDS
has the minimum value of 5000
.
For example:
SHA_CRYPT_MIN_ROUNDS 5000 SHA_CRYPT_MAX_ROUNDS 5000Notice that if neither are set, they already have the default value of 5000. If either is set, they must have the minimum value of 5000.
Rationale
Passwords need to be protected at all times, and encryption is the standard
method for protecting passwords. If passwords are not encrypted, they can
be plainly read (i.e., clear text) and easily compromised. Passwords
that are encrypted with a weak algorithm are no more protected than if
they are kept in plain text.
Using more hashing rounds makes password cracking attacks more difficult.
- ID
- xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs
- Severity
- Medium
- Updated
Remediation - Ansible
- name: Set Password Hashing Rounds in /etc/login.defs - Ensure SHA_CRYPT_MIN_ROUNDS
has Minimum Value of 5000
ansible.builtin.replace:
path: /etc/login.defs
regexp: (^\s*SHA_CRYPT_MIN_ROUNDS\s+)(?!(?:[5-9]\d{3,}|\d{5,}))\S*(\s*$)
replace: \g<1>5000\g<2>
Remediation - Shell Script
if [ -e "/etc/login.defs" ] ; then
LC_ALL=C sed -i "/^\s*SHA_CRYPT_MIN_ROUNDS\s*/Id" "/etc/login.defs"
else
printf '%s\n' "Path '/etc/login.defs' wasn't found on this system. Refusing to continue." >&2