{"description": "In <tt>/etc/login.defs</tt>, ensure <tt>YESCRYPT_COST_FACTOR</tt> has the minimum value of <tt><sub idref=\"var_password_yescrypt_cost_factor_login_defs\" /></tt>.\nFor example:\n<pre>YESCRYPT_COST_FACTOR <sub idref=\"var_password_yescrypt_cost_factor_login_defs\" />\nYESCRYPT_COST_FACTOR <sub idref=\"var_password_yescrypt_cost_factor_login_defs\" /></pre>\nNotice that if is not set, it already has the default value of 5.\nIf it is set, it must have the minimum value of <sub idref=\"var_password_yescrypt_cost_factor_login_defs\" />.", "rationale": "Passwords need to be protected at all times, and hashing is the standard\nmethod for protecting passwords. If passwords are not hashed, they can\nbe plainly read (i.e., clear text) and easily compromised. Passwords\nthat are hashed with a weak algorithm are no more protected than if\nthey are kept in plain text.\n<br /><br />\nUsing a higher cost factor makes password cracking attacks more difficult.", "severity": "medium", "references": {"nist": ["IA-5(1)(c)", "IA-5(1).1(v)", "IA-7", "IA-7.1"], "srg": ["SRG-OS-000073-GPOS-00041", "SRG-OS-000120-GPOS-00061"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the cost factor is too low", "ocil": "Inspect <tt>/etc/login.defs</tt> and ensure that if\n<tt>YESCRYPT_COST_FACTOR</tt>\nis set, it must have the minimum value of <tt><sub idref=\"var_password_yescrypt_cost_factor_login_defs\" /></tt>.", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to encrypt all stored passwords with a strong cryptographic hash.\n\nEdit/modify the following line in the \"/etc/login.defs\" file and set \"YESCRYPT_COST_FACTOR\" to a value no lower than \"5\":\n\nYESCRYPT_COST_FACTOR <sub idref=\"var_password_yescrypt_cost_factor_login_defs\" />", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 shadow password suite must be configured to use a sufficient cost factor.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Set yescrypt Cost Factor in /etc/login.defs", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_yescrypt_cost_factor_logindefs/rule.yml", "template": {"name": "key_value_pair_in_file", "vars": {"path": "/etc/login.defs", "key": "YESCRYPT_COST_FACTOR", "xccdf_variable": "var_password_yescrypt_cost_factor_login_defs", "variable_datatype": "int", "sep": " ", "sep_regex": "\\s*", "app": "login.defs", "test_correct_value": 5, "test_wrong_value": 1}, "backends": {}}}