Detections
Analytics

5.3.3.4.5 Ensure pam_unix includes a FIPS 140-2 approved hashing algorithm

Information

A cryptographic hash function converts an arbitrary-length input into a fixed length output. Password hashing performs a one-way transformation of a password, turning the password into another string, called the hashed password.

The SHA-512 algorithm provides a stronger FIPS 140-2 approved cryptographic hashing algorithm than other algorithms used by Linux for password hash generation. A stronger hash provides additional protection to the system by increasing the level of effort needed for an attacker to successfully determine local user passwords.

Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.

Systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.

FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.

Note: These changes only apply to the local system.

Solution

Note: This only effects local users and passwords created after updating the files to use sha512 . If it is determined that the password algorithm being used is not sha512, once it is changed, it is recommended that all user ID's be immediately expired and forced to change their passwords on next login.

Run the following script to verify the active authselect profile includes the sha512 password hashing algorithm on the password stack's pam_unix.so module lines:

#!/usr/bin/env bash

{
 l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
 if grep -Pq -- '^custom\/' <<< "$l_pam_profile"; then
 l_pam_profile_path="/etc/authselect/$l_pam_profile"
 else
 l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
 fi
 grep -P -- '^\h*password\h+(requisite|required|sufficient)\h+pam_unix\.so\h+([^#\n\r]+\h+)?sha512\b' "$l_pam_profile_path"/{password,system}-auth
}

Example output:

/etc/authselect/custom/custom-profile/password-auth:password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok

/etc/authselect/custom/custom-profile/system-auth:password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok

- IF - the output does not include sha512, or includes a different hashing algorithm, run the following script:

#!/usr/bin/env bash

{
 l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
 if grep -Pq -- '^custom\/' <<< "$l_pam_profile"; then
 l_pam_profile_path="/etc/authselect/$l_pam_profile"
 else
 l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
 fi
 for l_authselect_file in "$l_pam_profile_path"/password-auth "$l_pam_profile_path"/system-auth; do
 if grep -Pq '^\h*password\h+()\h+pam_unix\.so\h+([^#\n\r]+\h+)?sha512\b' "$l_authselect_file"; then
 echo "- The sha512 password hashing algorithm is correctly set"
 elif grep -Pq '^\h*password\h+()\h+pam_unix\.so\h+([^#\n\r]+\h+)?(md5|bigcrypt|sha256|blowfish|yescrypt)\b' "$l_authselect_file"; then
 echo "- An incorrect password hashing algorithm is set, updating to \"sha512\""
 sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so\s+.*)(md5|bigcrypt|sha256|blowfish|yescrypt)(\s*.*)$/\1\4 sha512/g' "$l_authselect_file"
 else
 echo "No password hashing algorithm is set, updating to \"sha512\""
 sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so\s+.*)$/& sha512/g' "$l_authselect_file"
 fi
 done
}

Run the following command to update the password-auth and system-auth files in /etc/pam.d to include pam_unix.so with the sha512 password hashing algorithm argument:

# authselect apply-changes

See Also

https://workbench.cisecurity.org/benchmarks/19886

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4

Plugin: Unix

Control ID: b32aaf57d58c655fe88c3012b87cee40287cd0986474ac155ed1ce21e448e125