STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.

DISA Rule

SV-230232r627750_rule

Vulnerability Number

V-230232

Group Title

SRG-OS-000073-GPOS-00041

Rule Version

RHEL-08-010120

Severity

CAT II

CCI(s)

• CCI-000196 - The information system, for password-based authentication, stores only cryptographically-protected passwords.

Weight

10

Fix Recommendation

Lock all interactive user accounts not using SHA-512 hashing until the passwords can be regenerated with SHA-512.

Check Contents

Confirm that the interactive user account passwords are using a strong password hash with the following command:

$ sudo cut -d: -f2 /etc/shadow

$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/

Password hashes "!" or "*" indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with "$6$", this is a finding.

Vulnerability Number

V-230232

Documentable

False

Rule Version

RHEL-08-010120

Severity Override Guidance

Confirm that the interactive user account passwords are using a strong password hash with the following command:

$ sudo cut -d: -f2 /etc/shadow

$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/

Password hashes "!" or "*" indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with "$6$", this is a finding.

Check Content Reference

M

Target Key

2921

Comments