Set PAM''s Password Hashing Algorithm - password-auth
An XCCDF Rule
Description
The PAM system service can be configured to only store encrypted
representations of passwords. In
/etc/pam.d/password-auth
,
the
password
section of the file controls which PAM modules execute
during a password change. Set the pam_unix.so
module in the
password
section to include the argument sha512
, as shown
below:
password sufficient pam_unix.so sha512 other arguments...
This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.
Rationale
Passwords need to be protected at all times, and encryption is the standard
method for protecting passwords. If passwords are not encrypted, they can
be plainly read (i.e., clear text) and easily compromised. Passwords that
are encrypted with a weak algorithm are no more protected than if they are
kepy in plain text.
This setting ensures user and group account administration utilities are
configured to store only encrypted representations of passwords.
Additionally, the crypt_style
configuration option ensures the use
of a strong hashing algorithm that makes password cracking attacks more
difficult.
- ID
- xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85946-2
- CJIS-5.6.2.2
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then
if [ -e "/etc/pam.d/password-auth" ] ; then
PAM_FILE_PATH="/etc/pam.d/password-auth"
if [ -f /usr/bin/authselect ]; then