STIGQter: STIG Summary: Oracle Linux 7 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The Oracle Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords.

DISA Rule

SV-221678r603260_rule

Vulnerability Number

V-221678

Group Title

SRG-OS-000073-GPOS-00041

Rule Version

OL07-00-010210

Severity

CAT II

CCI(s)

• CCI-000196 - The information system, for password-based authentication, stores only cryptographically-protected passwords.

Weight

10

Fix Recommendation

Configure the operating system to store only SHA512 encrypted representations of passwords.

Add or update the following line in "/etc/login.defs":

ENCRYPT_METHOD SHA512

Check Contents

Verify the system's shadow file is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512.

Check that the system is configured to create SHA512 hashed passwords with the following command:

# grep -i encrypt /etc/login.defs
ENCRYPT_METHOD SHA512

If the "/etc/login.defs" configuration file does not exist or allows for password hashes other than SHA512 to be used, this is a finding.

Vulnerability Number

V-221678

Documentable

False

Rule Version

OL07-00-010210

Severity Override Guidance

Verify the system's shadow file is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512.

Check that the system is configured to create SHA512 hashed passwords with the following command:

# grep -i encrypt /etc/login.defs
ENCRYPT_METHOD SHA512

If the "/etc/login.defs" configuration file does not exist or allows for password hashes other than SHA512 to be used, this is a finding.

Check Content Reference

M

Target Key

4089

Comments