{"description": "The PAM system service can be configured to only store encrypted\nrepresentations of passwords. In\n<tt>/etc/pam.d/common-auth</tt>,\nthe\n<tt>auth</tt> section of the file controls which PAM modules execute\nduring a password change. Set the <tt>pam_unix.so</tt> module in the\n<tt>auth</tt> section to include the argument <tt>sha512</tt>, as shown\nbelow:\n<br />\n<pre>auth   required    pam_unix.so sha512 <i>other arguments...</i></pre>\n<br />\nThis will help ensure when local users change their authentication method,\nhashes for the new authentications will be generated using the SHA-512\nalgorithm. This is the default.", "rationale": "Unapproved mechanisms used for authentication to the cryptographic module\nare not verified and therefore cannot be relied on to provide\nconfidentiality or integrity, and data may be compromised.\nThis setting ensures user and group account administration utilities are\nconfigured to store only encrypted representations of passwords.\nAdditionally, the <tt>crypt_style</tt> configuration option ensures the use\nof a strong hashing algorithm that makes password cracking attacks more\ndifficult.", "severity": "medium", "references": {"nist": ["IA-7", "IA-7.1"], "pcidss": ["Req-8.2.1"], "srg": ["SRG-OS-000120-GPOS-00061"], "pcidss4": ["8.3.2", "8.3"]}, "control_references": {"pcidss4": ["8.3.2", "8.3"]}, "components": [], "identifiers": {}, "ocil_clause": "it does not", "ocil": "Inspect the contents of <tt>/etc/pam.d/common-auth</tt>\nand ensure that the <tt>pam_unix.so</tt> module includes the argument\n<tt>sha512</tt>:\n<pre>$ grep sha512 /etc/pam.d/common-auth</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "package[pam]", "platforms": ["package[pam]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_pam"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Set PAM's Common Authentication Hashing Algorithm", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/rule.yml", "template": {"name": "pam_options", "vars": {"path": "/etc/pam.d/common-auth", "type": "auth", "control_flag": "required", "module": "pam_unix.so", "arguments": [{"argument": "sha512", "new_argument": "sha512"}]}, "backends": {}}}