Set Password Hashing Rounds in /etc/login.defs

An XCCDF Rule

Description

In /etc/login.defs, ensure SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS has the minimum value of 5000. For example:

SHA_CRYPT_MIN_ROUNDS 5000
SHA_CRYPT_MAX_ROUNDS 5000

Notice that if neither are set, they already have the default value of 5000. If either is set, they must have the minimum value of 5000.

Rationale

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.

Using more hashing rounds makes password cracking attacks more difficult.

ID: xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs
Severity: Medium
References: BP28(R68)

CCI-000196 CCI-000803

SRG-OS-000073-GPOS-00041 SRG-OS-000120-GPOS-00061

RHEL-08-010130

SV-230233r880705_rule

CCE-89707-4
Updated: about 1 year ago

- name: Set Password Hashing Rounds in /etc/login.defs - Ensure SHA_CRYPT_MIN_ROUNDS
    has Minimum Value of 5000
  ansible.builtin.replace:
    path: /etc/login.defs
    regexp: (^\s*SHA_CRYPT_MIN_ROUNDS\s+)(?!(?:[5-9]\d{3,}|\d{5,}))\S*(\s*$)
    replace: \g<1>5000\g<2>    backup: false
  tags:
  - CCE-89707-4
  - DISA-STIG-RHEL-08-010130
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - set_password_hashing_min_rounds_logindefs

- name: Set Password Hashing Rounds in /etc/login.defs - Ensure SHA_CRYPT_MAX_ROUNDS
    has Minimum Value of 5000
  ansible.builtin.replace:
    path: /etc/login.defs
    regexp: (^\s*SHA_CRYPT_MAX_ROUNDS\s+)(?!(?:[5-9]\d{3,}|\d{5,}))\S*(\s*$)
    replace: \g<1>5000\g<2>
    backup: false
  tags:
  - CCE-89707-4
  - DISA-STIG-RHEL-08-010130
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - set_password_hashing_min_rounds_logindefs


if [ -e "/etc/login.defs" ] ; then
    
    LC_ALL=C sed -i "/^\s*SHA_CRYPT_MIN_ROUNDS\s*/Id" "/etc/login.defs"
else
    printf '%s\n' "Path '/etc/login.defs' wasn't found on this system. Refusing to continue." >&2    return 1
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/login.defs"

cp "/etc/login.defs" "/etc/login.defs.bak"
# Insert at the end of the file
printf '%s\n' "SHA_CRYPT_MIN_ROUNDS 5000" >> "/etc/login.defs"
# Clean up after ourselves.
rm "/etc/login.defs.bak"

Set Password Hashing Rounds in /etc/login.defs

Description

Rationale

Remediation - Ansible

Remediation - Shell Script