STIGQter STIGQter: STIG Summary: Red Hat Enterprise Linux 7 Security Technical Implementation Guide Version: 2 Release: 6 Benchmark Date: 24 Jan 2020: The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.

DISA Rule

SV-86543r3_rule

Vulnerability Number

V-71919

Group Title

SRG-OS-000073-GPOS-00041

Rule Version

RHEL-07-010200

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the operating system to store only SHA512 encrypted representations of passwords.

Add the following line in "/etc/pam.d/system-auth":
pam_unix.so sha512 shadow try_first_pass use_authtok

Add the following line in "/etc/pam.d/password-auth":
pam_unix.so sha512 shadow try_first_pass use_authtok

Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.

Check Contents

Verify the PAM system service is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512.

Check that the system is configured to create SHA512 hashed passwords with the following command:

# grep password /etc/pam.d/system-auth /etc/pam.d/password-auth

Outcome should look like following:
/etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
/etc/pam.d/password-auth:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok

If the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" configuration files allow for password hashes other than SHA512 to be used, this is a finding.

Vulnerability Number

V-71919

Documentable

False

Rule Version

RHEL-07-010200

Severity Override Guidance

Verify the PAM system service is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512.

Check that the system is configured to create SHA512 hashed passwords with the following command:

# grep password /etc/pam.d/system-auth /etc/pam.d/password-auth

Outcome should look like following:
/etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
/etc/pam.d/password-auth:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok

If the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" configuration files allow for password hashes other than SHA512 to be used, this is a finding.

Check Content Reference

M

Target Key

2777

Comments