5.3.4 Ensure password hashing algorithm is SHA-512 - system-auth

Information

The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note that these change only apply to accounts configured on the local system.

Solution

Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the sha512 option for pam_unix.so as shown: password sufficient pam_unix.so sha512

See Also

https://workbench.cisecurity.org/files/1863

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1)(c), 800-53|SC-13, CSCv6|16.14

Plugin: Unix

Control ID: c14b1a247e2e19752bafe5868466f9df22a3fb3a67a547e79daddcc773a3be70