OL6-00-000062 - The system must use a FIPS 140-2-approved cryptographic hashing algorithm for generating account password hashes (system-auth).

Information

Using a stronger hashing algorithm makes password-cracking attacks more difficult.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

In '/etc/pam.d/system-auth', '/etc/pam.d/system-auth-ac', '/etc/pam.d/password-auth', and '/etc/pam.d/password-auth-ac', among potentially other files, the 'password' section of the files control which PAM modules execute during a password change.

Set the 'pam_unix.so' module in the 'password' section to include the argument 'sha512', as shown below:

password sufficient pam_unix.so sha512 [other arguments...]

This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.

Note: Any updates made to '/etc/pam.d/system-auth' and '/etc/pam.d/password-auth' will be overwritten by the 'authconfig' program. The 'authconfig' program should not be used.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_6_V2R7_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-7, CAT|II, CCI|CCI-000803, Rule-ID|SV-208837r793622_rule, STIG-ID|OL6-00-000062, STIG-Legacy|SV-65129, STIG-Legacy|V-50923, Vuln-ID|V-208837

Plugin: Unix

Control ID: a811242c2c547a1c9d7de323b3f20e06f72a2ddb9fcaa459da93c718ff968252