{"description": "The PAM system service can be configured to only store encrypted representations of passwords.\nIn <tt>/etc/pam.d/password-auth</tt>, the <tt>password</tt> section of the file controls which\nPAM modules to execute during a password change.\n\nSet the <tt>pam_unix.so</tt> module in the <tt>password</tt> section to include the option\n<tt><sub idref=\"var_password_hashing_algorithm_pam\" /></tt> and no other hashing\nalgorithms as shown below:\n<br />\n<pre>password    sufficient    pam_unix.so <sub idref=\"var_password_hashing_algorithm_pam\" /> <i>other arguments...</i></pre>\n<br />\nThis will help ensure that new passwords for local users will be stored using the\n<sub idref=\"var_password_hashing_algorithm_pam\" /> algorithm.", "rationale": "Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read\n(i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm\nare no more protected than if they are kept in plain text.\n<br /><br />\nThis setting ensures user and group account administration utilities are configured to store\nonly encrypted representations of passwords. Additionally, the <tt>crypt_style</tt>\nconfiguration option in <tt>/etc/libuser.conf</tt> ensures the use of a strong hashing\nalgorithm that makes password cracking attacks more difficult.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16", "5"], "cjis": ["5.6.2.2"], "cobit5": ["DSS05.04", "DSS05.05", "DSS05.07", "DSS05.10", "DSS06.03", "DSS06.10"], "cui": ["3.13.11"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.2", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1"], "iso27001-2013": ["A.18.1.4", "A.7.1.1", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["IA-5(c)", "IA-5(1)(c)", "CM-6(a)"], "nist-csf": ["PR.AC-1", "PR.AC-6", "PR.AC-7"], "pcidss": ["Req-8.2.1"], "srg": ["SRG-OS-000073-GPOS-00041", "SRG-OS-000120-GPOS-00061"], "ism": ["0418", "1055", "1402"]}, "control_references": {"ism": ["0418", "1055", "1402"]}, "components": [], "identifiers": {}, "ocil_clause": "it does not", "ocil": "Inspect the <tt>password</tt> section of <tt>/etc/pam.d/password-auth</tt>\nand ensure that the <tt>pam_unix.so</tt> module is configured to use the argument\n<tt><sub idref=\"var_password_hashing_algorithm_pam\" /></tt>:\n\n<pre>$ grep <sub idref=\"var_password_hashing_algorithm_pam\" /> /etc/pam.d/password-auth</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "The hashing algorithms to be used with pam_unix.so are defined with independent module\noptions. There are at least 7 possible algorithms and likely more algorithms will be\nintroduced along the time. Due the the number of options and its possible combinations,\nthe use of multiple hashing algorithm options may bring unexpected behaviors to the\nsystem. For this reason the check will pass only when one hashing algorithm option is\ndefined and is aligned to the \"var_password_hashing_algorithm_pam\" variable. The\nremediation will ensure the correct option and remove any other extra hashing algorithm\noption."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.", "fixtext": "Configure Ubuntu 22.04 to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.\n\nEdit/modify the following line in the \"/etc/pam.d/password-auth\" file to include the sha512 option for pam_unix.so:\n\npassword sufficient pam_unix.so sha512", "checktext": "Verify that the pam_unix.so module is configured to use sha512 in /etc/pam.d/password-auth with the following command:\n\n$ grep \"^password.*pam_unix.so.*sha512\" /etc/pam.d/password-auth\n\npassword sufficient pam_unix.so sha512\n\nIf \"sha512\" is missing, or the line is commented out, this is a finding.\n\nIf the system administrator (SA) can demonstrate that the required configuration is contained in a PAM configuration file included or substacked from the system-auth file, this is not a finding.", "vuldiscussion": "Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and; therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised.\n\nUbuntu 22.04 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.\n\nFIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system."}}, "platform": "package[pam]", "platforms": ["package[pam]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_pam"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Set PAM''s Password Hashing Algorithm - password-auth", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml", "template": null}