UBTU-18-010110 - The Ubuntu operating system must employ a FIPS 140-2 approved cryptographic hashing algorithms for all created and stored passwords - sha512

Information

The Ubuntu operating system must use a FIPS-compliant hashing algorithm to securely store the password. The FIPS-compliant hashing algorithm parameters must be selected in order to harden the system against offline attacks.

Solution

Configure the Ubuntu operating system to encrypt all stored passwords with a strong cryptographic hash.

Edit/modify the following line in the file '/etc/pam.d/common-password' file to include the sha512 option for pam_unix.so:

password [success=1 default=ignore] pam_unix.so obscure sha512

Edit/modify /etc/login.defs and set 'ENCRYPT_METHOD sha512'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_18-04_LTS_V2R4_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-13, CAT|II, CCI|CCI-000803, Rule-ID|SV-219182r610963_rule, STIG-ID|UBTU-18-010110, STIG-Legacy|SV-109695, STIG-Legacy|V-100591, Vuln-ID|V-219182

Plugin: Unix

Control ID: 3a721ad34fd9014b6b65585a26c2a2ef63716a0793825c7c8eeb2a31fdbd5484