{"description": "In <tt>/etc/login.defs</tt>, ensure <tt>SHA_CRYPT_MIN_ROUNDS</tt> and\n<tt>SHA_CRYPT_MAX_ROUNDS</tt> has the minimum value of <tt><sub idref=\"var_password_hashing_min_rounds_login_defs\" /></tt>.\nFor example:\n<pre>SHA_CRYPT_MIN_ROUNDS <sub idref=\"var_password_hashing_min_rounds_login_defs\" />\nSHA_CRYPT_MAX_ROUNDS <sub idref=\"var_password_hashing_min_rounds_login_defs\" /></pre>\nNotice that if neither are set, they already have the default value of 5000.\nIf either is set, they must have the minimum value of <sub idref=\"var_password_hashing_min_rounds_login_defs\" />.", "rationale": "Passwords need to be protected at all times, and hashing is the standard\nmethod for protecting passwords. If passwords are not hashed, they can\nbe plainly read (i.e., clear text) and easily compromised. Passwords\nthat are hashed with a weak algorithm are no more protected than if\nthey are kept in plain text.\n<br /><br />\nUsing more hashing rounds makes password cracking attacks more difficult.", "severity": "medium", "references": {"srg": ["SRG-OS-000073-GPOS-00041", "SRG-OS-000120-GPOS-00061"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "it does not", "ocil": "Inspect <tt>/etc/login.defs</tt> and ensure that if either\n<tt>SHA_CRYPT_MIN_ROUNDS</tt> or <tt>SHA_CRYPT_MAX_ROUNDS</tt>\nare set, they must have the minimum value of <tt><sub idref=\"var_password_hashing_min_rounds_login_defs\" /></tt>.", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to encrypt all stored passwords with a strong cryptographic hash.\n\nEdit/modify the following line in the \"/etc/login.defs\" file and set \"SHA_CRYPT_MIN_ROUNDS\" to a value no lower than \"5000\":\n\nSHA_CRYPT_MIN_ROUNDS <sub idref=\"var_password_hashing_min_rounds_login_defs\" />", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 shadow password suite must be configured to use a sufficient number of hashing rounds.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 shadow password suite must be configured to use a sufficient number of hashing rounds.", "vuldiscussion": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.\n\nUsing more hashing rounds makes password cracking attacks more difficult.", "checktext": "Verify that Ubuntu 22.04 has a minimum number of hash rounds configured with the following command:\n\n$ grep -i sha_crypt /etc/login.defs\n\nIf \"SHA_CRYPT_MIN_ROUNDS\" or \"SHA_CRYPT_MAX_ROUNDS\" is less than \"<sub idref=\"var_password_hashing_min_rounds_login_defs\" />\", this is a finding.", "fixtext": "Configure Ubuntu 22.04 to encrypt all stored passwords with a strong cryptographic hash.\n\nEdit/modify the following line in the \"/etc/login.defs\" file and set \"SHA_CRYPT_MIN_ROUNDS\" to a value no lower than \"<sub idref=\"var_password_hashing_min_rounds_login_defs\" />\":\n\nSHA_CRYPT_MIN_ROUNDS <sub idref=\"var_password_hashing_min_rounds_login_defs\" />"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Set Password Hashing Rounds in /etc/login.defs", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/rule.yml", "template": null}