4.4.5 Ensure all current passwords uses the configured hashing algorithm

Information

Currently used passwords with out of date hashing algorithms may pose a security risk to the system.

In use passwords should always match the configured hashing algorithm for the system.

Solution

If the administrator wish to force an immediate change on all users as per the output of the audit, execute:

#!/usr/bin/env bash

{
UID_MIN=$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)
awk -F: -v UID_MIN="${UID_MIN}" '( $3 >= UID_MIN && $1 != "nfsnobody" ) { print $1 }' /etc/passwd | xargs -n 1 chage -d 0
}

NOTE: This could cause significant temporary CPU load on the system if a large number of users reset their passwords at the same time.

Impact:

If the administrator forces a password change, this could cause a large spike in CPU usage if a large number of users change their password during the same time.

See Also

https://workbench.cisecurity.org/benchmarks/15023

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4

Plugin: Unix

Control ID: 623053d08627e32d7c4b6586961fdb302d634abc80506a2192e002e1b932cd9d