STIGQter STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

The RHEL 8 pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.

DISA Rule

SV-230237r627750_rule

Vulnerability Number

V-230237

Group Title

SRG-OS-000120-GPOS-00061

Rule Version

RHEL-08-010160

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.

Edit/modify the following line in the file "/etc/pam.d/password-auth" and "/etc/pam.d/system-auth" files to include the sha512 option for pam_unix.so:

password sufficient pam_unix.so sha512 rounds=5000 shadow remember=5

Check Contents

Verify that pam_unix.so auth is configured to use sha512.

Check that pam_unix.so auth is configured to use sha512 in both /etc/pam.d/password-auth and /etc/pam.d/system-auth with the following command:

$ sudo grep password /etc/pam.d/password-auth | grep pam_unix

password sufficient pam_unix.so sha512 rounds=5000

$ sudo grep password /etc/pam.d/system-auth | grep pam_unix

password sufficient pam_unix.so sha512 rounds=5000

If "sha512" is not an option in both outputs, or is commented out, this is a finding.

Vulnerability Number

V-230237

Documentable

False

Rule Version

RHEL-08-010160

Severity Override Guidance

Verify that pam_unix.so auth is configured to use sha512.

Check that pam_unix.so auth is configured to use sha512 in both /etc/pam.d/password-auth and /etc/pam.d/system-auth with the following command:

$ sudo grep password /etc/pam.d/password-auth | grep pam_unix

password sufficient pam_unix.so sha512 rounds=5000

$ sudo grep password /etc/pam.d/system-auth | grep pam_unix

password sufficient pam_unix.so sha512 rounds=5000

If "sha512" is not an option in both outputs, or is commented out, this is a finding.

Check Content Reference

M

Target Key

2921

Comments