{"description": "Configure the number or rounds for the password hashing algorithm. This can be\naccomplished by using the <tt>rounds</tt> option for the <tt>pam_unix</tt> PAM module.\n<br /><br />\nIn file <tt>/etc/pam.d/password-auth</tt> append <tt>rounds=<sub idref=\"var_password_pam_unix_rounds\" /></tt>\nto the <tt>pam_unix.so</tt> entry, as shown below:\n\n<pre>password sufficient pam_unix.so <i>...existing_options...</i> rounds=<sub idref=\"var_password_pam_unix_rounds\" /></pre>\n\nThe system's default number of rounds is 5000.", "rationale": "Using a higher number of rounds makes password cracking attacks more difficult.", "severity": "medium", "references": {"srg": ["SRG-OS-000073-GPOS-00041"], "anssi": ["R68"]}, "control_references": {"anssi": ["R68"]}, "components": [], "identifiers": {}, "ocil_clause": "rounds is not set to <sub idref=\"var_password_pam_unix_rounds\" /> or is commented out", "ocil": "To verify the number of rounds for the password hashing algorithm is configured, run the following command:\n<pre>$ sudo grep rounds /etc/pam.d/password-auth</pre>\nThe output should show the following match:\n\n<pre>password sufficient pam_unix.so sha512 rounds=<sub idref=\"var_password_pam_unix_rounds\" /></pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to use <sub idref=\"var_password_pam_unix_rounds\" /> hashing rounds for hashing passwords.\n\nAdd or modify the following line in \"/etc/pam.d/password-auth\" and set \"rounds\" to <sub idref=\"var_password_pam_unix_rounds\" />.\nFor example:\n\npassword sufficient pam_unix.so sha512 rounds=5000", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 shadow password suite must be configured to use a sufficient number of hashing rounds in /etc/pam.d/password-auth.", "warnings": [{"performance": "Setting a high number of hashing rounds makes it more difficult to brute force the password,\nbut requires more CPU resources to authenticate users."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 password-auth must be configured to use a sufficient number of hashing rounds.", "vuldiscussion": "Passwords need to be protected at all times, and encryption is the standard\nmethod for protecting passwords. If passwords are not encrypted, they can\nbe plainly read (i.e., clear text) and easily compromised. Passwords\nthat are encrypted with a weak algorithm are no more protected than if\nthey are kept in plain text.\n\nUsing more hashing rounds makes password cracking attacks more difficult.", "fixtext": "Configure Ubuntu 22.04 to use 5000 hashing rounds for hashing passwords.\n\nAdd or modify the following line in \"/etc/pam.d/password-auth\" and set \"rounds\" to 5000\n\npassword sufficient pam_unix.so sha512 rounds=5000", "checktext": "Verify the number of rounds for the password hashing algorithm is configured with the following command:\n\n$ sudo grep rounds /etc/pam.d/password-auth\n\npassword sufficient pam_unix.so sha512 rounds=5000\n\nIf a matching line is not returned or \"rounds\" is less than 5000, this a finding."}}, "platform": "package[pam] and system_with_kernel", "platforms": ["package[pam] and system_with_kernel"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["package_pam_and_system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Set number of Password Hashing Rounds - password-auth", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml", "template": null}