dev-sec · rndmh3ro · Jun 30, 2021 · Jun 28, 2021 · Jun 28, 2021 · Jun 29, 2021
diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md
@@ -193,6 +193,12 @@ We know that this is the case on Raspberry Pi.
 - `os_ignore_home_folder_users`
   - Default: `lost+found`
   - Description: specify user home folders in `/home` that shouldn't be chmodded to 700
+- `os_sha_crypt_min_rounds`
+  - Default: `640000`
+  - Description: Define the number of minimum SHA rounds. With a lot of rounds, it is more difficult to brute forcing the password. But note also that it more CPU resources will be needed to authenticate users. The values must be inside the 1000-999999999 range.
+- `os_sha_crypt_max_rounds`
+  - Default: `640000`
+  - Description: Define the number of maximum SHA rounds. With a lot of rounds, it is more difficult to brute forcing the password. But note also that it more CPU resources will be needed to authenticate users. The values must be inside the 1000-999999999 range.
 
 ## Packages
 

diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml
@@ -321,3 +321,9 @@ os_selinux_policy: targeted
 
 # Mount options for proc in /etc/fstab.
 proc_mnt_options: 'rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}'
+
+# Define the number of SHA rounds.
+# With a lot of rounds, it is more difficult to brute forcing the password. But note also that it more CPU resources will be needed to authenticate users.
+# The values must be inside the 1000-999999999 range.
+os_sha_crypt_min_rounds: "640000"
+os_sha_crypt_max_rounds: "640000"
diff --git a/roles/os_hardening/templates/etc/login.defs.j2 b/roles/os_hardening/templates/etc/login.defs.j2
@@ -173,8 +173,8 @@ ENCRYPT_METHOD    SHA512
 # With a lot of rounds, it is more difficult to brute forcing the password. But note also that it more CPU resources will be needed to authenticate users.
 # If not specified, the libc will choose the default number of rounds (5000). The values must be inside the 1000-999999999 range. If only one of the MIN or MAX values is set, then this value will be used.
 # If MIN > MAX, the highest value will be used.
-#SHA_CRYPT_MIN_ROUNDS    5000
-#SHA_CRYPT_MAX_ROUNDS    5000
+SHA_CRYPT_MIN_ROUNDS    {{ os_sha_crypt_min_rounds }}
+SHA_CRYPT_MAX_ROUNDS    {{ os_sha_crypt_max_rounds }}
 
 
 # Obsoleted by PAM

diff --git a/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2 b/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2
@@ -38,7 +38,7 @@ password    requisite     pam_pwquality.so {{ os_auth_pam_pwquality_options }}
 {# NSA 2.3.3.6 Limit Password Reuse #}
 password    requisite     pam_pwhistory.so remember=5 use_authtok
 {# NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512 #}
-password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok rounds={{ os_sha_crypt_min_rounds }}
 {% if (os_auth_pam_sssd_enable | bool) %}
 password    sufficient    pam_sss.so use_authtok
 {% endif %}