SV-204415r603261_rule
V-204415
SRG-OS-000073-GPOS-00041
RHEL-07-010200
CAT II
10
Configure the operating system to store only SHA512 encrypted representations of passwords.
Add the following line in "/etc/pam.d/system-auth":
pam_unix.so sha512 shadow try_first_pass use_authtok
Add the following line in "/etc/pam.d/password-auth":
pam_unix.so sha512 shadow try_first_pass use_authtok
Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.
Verify the PAM system service is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512.
Check that the system is configured to create SHA512 hashed passwords with the following command:
# grep password /etc/pam.d/system-auth /etc/pam.d/password-auth
Outcome should look like following:
/etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
/etc/pam.d/password-auth:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
If the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" configuration files allow for password hashes other than SHA512 to be used, this is a finding.
V-204415
False
RHEL-07-010200
Verify the PAM system service is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512.
Check that the system is configured to create SHA512 hashed passwords with the following command:
# grep password /etc/pam.d/system-auth /etc/pam.d/password-auth
Outcome should look like following:
/etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
/etc/pam.d/password-auth:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
If the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" configuration files allow for password hashes other than SHA512 to be used, this is a finding.
M
2899