STIGQter: STIG Summary: Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:SV-219182r610963_rule
V-219182
SRG-OS-000120-GPOS-00061
UBTU-18-010110
CAT II
10
Configure the Ubuntu operating system to encrypt all stored passwords with a strong cryptographic hash.
Edit/modify the following line in the file "/etc/pam.d/common-password" file to include the sha512 option for pam_unix.so:
password [success=1 default=ignore] pam_unix.so obscure sha512
Edit/modify /etc/login.defs and set "ENCRYPT_METHOD sha512".
Verify that encrypted passwords stored in /etc/shadow use a strong cryptographic hash.
Check that pam_unix.so auth is configured to use sha512 with the following command:
# grep password /etc/pam.d/common-password | grep pam_unix
password [success=1 default=ignore] pam_unix.so obscure sha512
If "sha512" is not an option of the output, or is commented out, this is a finding.
Check that ENCRYPT_METHOD is set to sha512 in /etc/login.defs:
# grep -i ENCRYPT_METHOD /etc/login.defs
ENCRYPT_METHOD SHA512
If the output does not contain "sha512", or it is commented out, this is a finding.
V-219182
False
UBTU-18-010110
Verify that encrypted passwords stored in /etc/shadow use a strong cryptographic hash.
Check that pam_unix.so auth is configured to use sha512 with the following command:
# grep password /etc/pam.d/common-password | grep pam_unix
password [success=1 default=ignore] pam_unix.so obscure sha512
If "sha512" is not an option of the output, or is commented out, this is a finding.
Check that ENCRYPT_METHOD is set to sha512 in /etc/login.defs:
# grep -i ENCRYPT_METHOD /etc/login.defs
ENCRYPT_METHOD SHA512
If the output does not contain "sha512", or it is commented out, this is a finding.
M
4055