-
Notifications
You must be signed in to change notification settings - Fork 670
/
rule.yml
44 lines (33 loc) · 1.52 KB
/
rule.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
documentation_complete: true
prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4
title: 'Set number of Password Hashing Rounds - system-auth'
description: |-
Configure the number or rounds for the password hashing algorithm. This can be
accomplished by using the <tt>rounds</tt> option for the <tt>pam_unix</tt> PAM module.
<br /><br />
In file <tt>/etc/pam.d/system-auth</tt> append <tt>rounds=<sub idref="var_password_pam_unix_rounds" /></tt>
to the <tt>pam_unix.so</tt> file, as shown below:
<pre>password sufficient pam_unix.so <i>...existing_options...</i> rounds=<sub idref="var_password_pam_unix_rounds" /></pre>
The system's default number of rounds is 5000.
rationale: |-
Using a higher number of rounds makes password cracking attacks more difficult.
warnings:
- performance: |-
Setting a high number of hashing rounds makes it more difficult to brute force the password,
but requires more CPU resources to authenticate users.
severity: medium
identifiers:
cce@rhel7: CCE-83384-8
cce@rhel8: CCE-83386-3
references:
anssi: BP28(R32)
stigid@rhel8: RHEL-08-010130
srg: SRG-OS-000073-GPOS-00041
disa: CCI-000196
ocil_clause: 'it does not set the appropriate number of hashing rounds'
ocil: |-
To verify the number of rounds for the password hashing algorithm is compliant, run the following command:
<pre>$ grep rounds /etc/pam.d/system-auth</pre>
The output should show the following match:
<pre>rounds=<sub idref="var_password_pam_unix_rounds" /></pre>
platform: pam