The Ubuntu operating system must employ a FIPS 140-2 approved cryptographic hashing algorithms for all created and stored passwords.

An XCCDF Rule

Description

<VulnDiscussion>The Ubuntu operating system must use a FIPS-compliant hashing algorithm to securely store the password. The FIPS-compliant hashing algorithm parameters must be selected in order to harden the system against offline attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-219182r610963_rule
Severity: Medium
References: CCI-000803
Updated: 9 months ago

Configure the Ubuntu operating system to encrypt all stored passwords with a strong cryptographic hash.

Edit/modify the following line in the file "/etc/pam.d/common-password" file to include the sha512 option for pam_unix.so:

password [success=1 default=ignore] pam_unix.so obscure sha512
Edit/modify /etc/login.defs and set "ENCRYPT_METHOD sha512".

The Ubuntu operating system must employ a FIPS 140-2 approved cryptographic hashing algorithms for all created and stored passwords.

Description

Remediation - Manual Procedure