RHEL-06-000062 - The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth) - system-auth.

Information

Using a stronger hashing algorithm makes password cracking attacks more difficult.

Solution

In '/etc/pam.d/system-auth', '/etc/pam.d/system-auth-ac', '/etc/pam.d/password-auth', and '/etc/pam.d/password-auth-ac', among potentially other files, the 'password' section of the files controls which PAM modules execute during a password change. Set the 'pam_unix.so' module in the 'password' section to include the argument 'sha512', as shown below:

password sufficient pam_unix.so sha512 [other arguments...]

This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.

Note: Any updates made to '/etc/pam.d/system-auth' will be overwritten by the 'authconfig' program. The 'authconfig' program should not be used.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_6_V2R2_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-7, CAT|II, CCI|CCI-000803, Rule-ID|SV-217898r603264_rule, STIG-ID|RHEL-06-000062, STIG-Legacy|SV-50375, STIG-Legacy|V-38574, Vuln-ID|V-217898

Plugin: Unix

Control ID: 7a884a1c625978d2893d723ed796900297119c849c78a9fa5cae5dbc2fc2d7ed