{"description": "The PAM system service can be configured to only store encrypted representations of passwords.\nIn \"/etc/pam.d/common-password\", the password section of the file controls which\nPAM modules to execute during a password change.\n\nSet the pam_unix.so module in the password section to include the option\n and no other hashing\nalgorithms as shown below:\n
\n\npassword [success=1 default=ignore] pam_unix.so other arguments...
\n\n
\nThis will help ensure that new passwords for local users will be stored using the\n algorithm.", "rationale": "Passwords need to be protected at all times, and encryption is the standard method for\nprotecting passwords. If passwords are not encrypted, they can be plainly read\n(i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm\nare no more protected than if they are kept in plain text.\n
\nThis setting ensures user and group account administration utilities are configured to store\nonly encrypted representations of passwords. Additionally, the crypt_style\nconfiguration option in /etc/libuser.conf ensures the use of a strong hashing\nalgorithm that makes password cracking attacks more difficult.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16", "5"], "cjis": ["5.6.2.2"], "cobit5": ["DSS05.04", "DSS05.05", "DSS05.07", "DSS05.10", "DSS06.03", "DSS06.10"], "cui": ["3.13.11"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.2", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1"], "iso27001-2013": ["A.18.1.4", "A.7.1.1", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["IA-5(c)", "IA-5(1)(c)", "CM-6(a)"], "nist-csf": ["PR.AC-1", "PR.AC-6", "PR.AC-7"], "pcidss": ["Req-8.2.1"], "srg": ["SRG-OS-000073-GPOS-00041", "SRG-OS-000120-GPOS-00061"], "anssi": ["R68"], "cis": ["5.3.3.4.3"], "ism": ["0418", "1055", "1402"], "pcidss4": ["8.3.2", "8.3"], "stigid": ["UBTU-22-611055"], "stigref": ["SV-260569r1044767_rule"]}, "control_references": {"anssi": ["R68"], "cis": ["5.3.3.4.3"], "ism": ["0418", "1055", "1402"], "pcidss4": ["8.3.2", "8.3"], "stigid": ["UBTU-22-611055"]}, "components": [], "identifiers": {}, "ocil_clause": "\"\" is missing, or is commented out", "ocil": "Inspect the password section of /etc/pam.d/common-password\nand ensure that the pam_unix.so module is configured to use the argument\n:\n\n$ sudo grep \"^password.*pam_unix\\.so.*\" /etc/pam.d/common-password\n\npassword [success=1 default=ignore] pam_unix.so \n
", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.\n\n\nEdit/modify the following line in the \"/etc/pam.d/common-password\" file to include the \noption for pam_unix.so:\n\npassword [success=1 default=ignore] pam_unix.so ", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "The hashing algorithms to be used with pam_unix.so are defined with independent module\noptions. There are at least 7 possible algorithms and likely more algorithms will be\nintroduced along the time. Due the the number of options and its possible combinations,\nthe use of multiple hashing algorithm options may bring unexpected behaviors to the\nsystem. For this reason the check will pass only when one hashing algorithm option is\ndefined and is aligned to the \"var_password_hashing_algorithm_pam\" variable. The\nremediation will ensure the correct option and remove any other extra hashing algorithm\noption."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.", "vuldiscussion": "Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.\n\nUbuntu 22.04 systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.\n\nFIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.", "checktext": "Verify that the pam_unix.so module is configured to use sha512 in /etc/pam.d/system-auth with the following command:\n\n$ grep \"^password.*pam_unix.so.*sha512\" /etc/pam.d/system-auth\n\npassword sufficient pam_unix.so sha512\n\nIf \"sha512\" is missing, or the line is commented out, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.\n\nEdit/modify the following line in the \"/etc/pam.d/system-auth\" file to include the sha512 option for pam_unix.so:\n\npassword sufficient pam_unix.so sha512"}}, "platform": "package[pam]", "platforms": ["package[pam]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_pam"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Set PAM Password Hashing Algorithm - system-auth", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml", "template": null}