{"description": "Configure the number or rounds for the password hashing algorithm. This can be\naccomplished by using the <tt>rounds</tt> option for the <tt>pam_unix</tt> PAM module.\n<br /><br />\nIn file <tt>/etc/pam.d/system-auth</tt> append <tt>rounds=<sub idref=\"var_password_pam_unix_rounds\" /></tt>\nto the <tt>pam_unix.so</tt> entry, as shown below:\n<pre>password sufficient pam_unix.so <i>...existing_options...</i> rounds=<sub idref=\"var_password_pam_unix_rounds\" /></pre>\nThe system's default number of rounds is 5000.", "rationale": "Using a higher number of rounds makes password cracking attacks more difficult.", "severity": "medium", "references": {"srg": ["SRG-OS-000073-GPOS-00041"], "anssi": ["R68"]}, "control_references": {"anssi": ["R68"]}, "components": [], "identifiers": {}, "ocil_clause": "rounds is not set to <sub idref=\"var_password_pam_unix_rounds\" /> or is commented out", "ocil": "To verify the number of rounds for the password hashing algorithm is configured, run the following command:\n<pre>$ sudo grep rounds /etc/pam.d/system-auth</pre>\nThe output should show the following match:\n<pre>password sufficient pam_unix.so sha512 rounds=<sub idref=\"var_password_pam_unix_rounds\" /></pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to use <sub idref=\"var_password_pam_unix_rounds\" /> hashing rounds for hashing passwords.\n\nAdd or modify the following line in \"/etc/pam.d/system-auth\" and set \"rounds\" to <sub idref=\"var_password_pam_unix_rounds\" />.\nFor example:\n\npassword sufficient pam_unix.so sha512 rounds=<sub idref=\"var_password_pam_unix_rounds\" />", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 shadow password suite must be configured to use a sufficient number of hashing rounds in /etc/pam.d/system-auth.", "warnings": [{"performance": "Setting a high number of hashing rounds makes it more difficult to brute force the password,\nbut requires more CPU resources to authenticate users."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 system-auth must be configured to use a sufficient number of hashing rounds.", "vuldiscussion": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.\n\nUsing more hashing rounds makes password cracking attacks more difficult.", "fixtext": "Configure Ubuntu 22.04 to use 100000 hashing rounds for hashing passwords.\n\nAdd or modify the following line in \"/etc/pam.d/system-auth\" and set \"rounds\" to 100000.\n\npassword sufficient pam_unix.so sha512 rounds=100000\n\nNote: Running authselect will overwrite this value unless a custom authselect policy is created.", "checktext": "Verify the number of rounds for the password hashing algorithm is configured with the following command:\n\n$ sudo grep rounds /etc/pam.d/system-auth\n\npassword sufficient pam_unix.so sha512 rounds=100000\n\nIf a matching line is not returned or \"rounds\" is less than 100000, this a finding."}}, "platform": "package[pam] and system_with_kernel", "platforms": ["package[pam] and system_with_kernel"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["package_pam_and_system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Set number of Password Hashing Rounds - system-auth", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml", "template": null}