Skip to content

Commit

Permalink
Merge pull request #6879 from teacup-on-rockingchair/suse_SLES-15-010250
Browse files Browse the repository at this point in the history
SLES-15-010250 add rule, remediation and tests.
  • Loading branch information
vojtapolasek committed May 3, 2021
2 parents a5801ff + 5cdb94e commit 5a89d37
Show file tree
Hide file tree
Showing 6 changed files with 78 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# platform = multi_platform_sle
. /usr/share/scap-security-guide/remediation_functions

ensure_pam_module_options '/etc/pam.d/common-auth' 'auth' 'required' 'pam_unix.so' 'sha512' '' ''
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
documentation_complete: true

prodtype: sle15

title: "Set PAM's Common Authentication Hashing Algorithm"

description: |-
The PAM system service can be configured to only store encrypted
representations of passwords. In
<tt>/etc/pam.d/common-auth</tt>,
the
<tt>auth</tt> section of the file controls which PAM modules execute
during a password change. Set the <tt>pam_unix.so</tt> module in the
<tt>auth</tt> section to include the argument <tt>sha512</tt>, as shown
below:
<br />
<pre>auth required pam_unix.so sha512 <i>other arguments...</i></pre>
<br />
This will help ensure when local users change their authentication method,
hashes for the new authentications will be generated using the SHA-512
algorithm. This is the default.
rationale: |-
Unapproved mechanisms used for authentication to the cryptographic module
are not verified and therefore cannot be relied on to provide
confidentiality or integrity, and data may be compromised.
This setting ensures user and group account administration utilities are
configured to store only encrypted representations of passwords.
Additionally, the <tt>crypt_style</tt> configuration option ensures the use
of a strong hashing algorithm that makes password cracking attacks more
difficult.
severity: medium

identifiers:
cce@sle15: CCE-85754-0

references:
disa: CCI-000803
nist: IA-7,IA-7.1
srg@sle15: SRG-OS-000120-GPOS-00061
vmmsrg@sle15: SRG-OS-000480-VMM-002000
stigid@sle15: SLES-15-010250

ocil_clause: 'it does not'

ocil: |-
Inspect the contents of <tt>/etc/pam.d/common-auth</tt>
and ensure that the <tt>pam_unix.so</tt> module includes the argument
<tt>sha512</tt>:
<pre>$ grep sha512 /etc/pam.d/common-auth</pre>
platform: pam

template:
name: pam_options
vars:
path: /etc/pam.d/common-auth
type: auth
control_flag: required
module: pam_unix.so
arguments:
- argument: sha512
new_argument: sha512
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# platform = SUSE Linux Enterprise 15

echo "auth optional pam_unix.so try_first_pass sha512" > /etc/pam.d/common-auth
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# platform = SUSE Linux Enterprise 15

echo "auth required pam_unix.so try_first_pass" > /etc/pam.d/common-auth
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# platform = SUSE Linux Enterprise 15

echo "auth required pam_unix.so try_first_pass sha512" > /etc/pam.d/common-auth
1 change: 1 addition & 0 deletions sle15/profiles/stig.profile
Original file line number Diff line number Diff line change
Expand Up @@ -215,6 +215,7 @@ selections:
- set_password_hashing_algorithm_logindefs
- set_password_hashing_algorithm_systemauth
- set_password_hashing_min_rounds_logindefs
- set_password_hashing_algorithm_commonauth
- smartcard_configure_ca
- smartcard_configure_cert_checking
- smartcard_pam_enabled
Expand Down

0 comments on commit 5a89d37

Please sign in to comment.