{"description": "In <tt>/etc/login.defs</tt>, add or update the following line to ensure the system will use\n<sub idref=\"var_password_hashing_algorithm\" /> as the hashing algorithm:\n<pre>ENCRYPT_METHOD <sub idref=\"var_password_hashing_algorithm\" /></pre>", "rationale": "Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read\n(i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm\nare no more protected than if they are kept in plain text.\n<br /><br />\nUsing a stronger hashing algorithm makes password cracking attacks more difficult.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16", "5"], "cjis": ["5.6.2.2"], "cobit5": ["DSS05.04", "DSS05.05", "DSS05.07", "DSS05.10", "DSS06.03", "DSS06.10"], "cui": ["3.13.11"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.2", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1"], "iso27001-2013": ["A.18.1.4", "A.7.1.1", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["IA-5(c)", "IA-5(1)(c)", "CM-6(a)"], "nist-csf": ["PR.AC-1", "PR.AC-6", "PR.AC-7"], "pcidss": ["Req-8.2.1"], "srg": ["SRG-OS-000073-GPOS-00041"], "cis": ["5.4.1.4"], "ism": ["0418", "1055", "1402"], "pcidss4": ["8.3.2", "8.3"], "stigid": ["UBTU-22-611070"], "stigref": ["SV-260572r971535_rule"]}, "control_references": {"cis": ["5.4.1.4"], "ism": ["0418", "1055", "1402"], "pcidss4": ["8.3.2", "8.3"], "stigid": ["UBTU-22-611070"]}, "components": [], "identifiers": {}, "ocil_clause": "ENCRYPT_METHOD is not set to <sub idref=\"var_password_hashing_algorithm\" />", "ocil": "\nVerify that the shadow password suite configuration is set to encrypt password with a FIPS 140-2 approved cryptographic hashing algorithm.\n\nCheck the hashing algorithm that is being used to hash passwords with the following command:\n\n$ sudo grep -i ENCRYPT_METHOD  /etc/login.defs\n\nENCRYPT_METHOD <sub idref=\"var_password_hashing_algorithm\" />", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to encrypt all stored passwords.\n\nAdd or update the following line in the \"/etc/login.defs\" file:\n\nENCRYPT_METHOD <sub idref=\"var_password_hashing_algorithm\" />", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must be configured to use the shadow file to store only encrypted representations of passwords.", "vuldiscussion": "Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords. If passwords are not encrypted, they can\nbe plainly read (i.e., clear text) and easily compromised. Passwords that\nare encrypted with a weak algorithm are no more protected than if they are\nkepy in plain text.\n\n\n\nThis setting ensures user and group account administration utilities are\nconfigured to store only encrypted representations of passwords.\nAdditionally, the \"crypt_style\" configuration option ensures the use\nof a strong hashing algorithm that makes password cracking attacks more\ndifficult.", "checktext": "Verify the system's shadow file is configured to store only encrypted representations of passwords. with a hash value of SHA512 with the following command:\n\n# grep -i encrypt_method /etc/login.defs\n\nENCRYPT_METHOD SHA512\n\nIf \"ENCRYPT_METHOD\" does not have a value of \"SHA512\", or the line is commented out, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to store only SHA512 encrypted representations of passwords.\n\nAdd or update the following line in the \"/etc/login.defs\" file:\n\nENCRYPT_METHOD SHA512"}}, "platform": "package[shadow-utils]", "platforms": ["package[shadow-utils]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_shadow-utils"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Set Password Hashing Algorithm in /etc/login.defs", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml", "template": null}