Title

SLEM 5 must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords. (Cat II impact)

Discussion

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.

Check Content

Verify SLEM 5 configures the Linux PAM to only store encrypted representations of passwords with the following command: > grep pam_unix.so /etc/pam.d/common-password password required pam_unix.so sha512 If the value "sha512" is not present in the line, the second column value is different from "requisite", the line is commented out, or the line is missing, this is a finding.

Fix Text

Configure SLEM 5 Linux PAM to only store encrypted representations of passwords. All account passwords must be hashed with SHA512 encryption strength. Edit "/etc/pam.d/common-password" and edit the line containing "pam_unix.so" to contain the SHA512 keyword after third column. Remove the "nullok" option if it exists.

Additional Identifiers

Rule ID: SV-261385r996586_rule

Vulnerability ID: V-261385

Group Title: SRG-OS-000073-GPOS-00041

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.