Check: AZLX-23-002495
Amazon Linux 2023 STIG:
AZLX-23-002495
(in version v1 r1)
Title
Amazon Linux 2023 system-auth must be configured to use a sufficient number of hashing rounds. (Cat II impact)
Discussion
Unapproved mechanisms used for authentication to the cryptographic module are not verified and therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
Check Content
Verify Amazon Linux 2023 has the required number of rounds for the password hashing algorithm is configured in system-auth with the following command: $ sudo grep rounds /etc/pam.d/system-auth password sufficient pam_unix.so sha512 rounds=100000 If a matching line is not returned or "rounds" is less than "100000", this a finding.
Fix Text
Configure Amazon Linux 2023 to use 100000 hashing rounds for hashing passwords. Add or modify the following line in "/etc/pam.d/system-auth" and set "rounds" to "100000". password sufficient pam_unix.so sha512 rounds=100000
Additional Identifiers
Rule ID: SV-274163r1120477_rule
Vulnerability ID: V-274163
Group Title: SRG-OS-000073-GPOS-00041
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000803 |
Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. |
| CCI-004062 |
For password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash. |