Set Password Hashing Algorithm in /etc/login.defs
An XCCDF Rule
Description
In /etc/login.defs
, add or correct the following line to ensure
the system will use
ENCRYPT_METHOD
Rationale
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.
If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords
that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
Using a stronger hashing algorithm makes password cracking attacks more difficult.
- ID
- xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q shadow-utils; then
var_password_hashing_algorithm='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_password_hashing_algorithm" use="legacy"/>'
# Strip any search characters in the key arg so that the key can be replaced without
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-80892-3
- CJIS-5.6.2.2