Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The Ubuntu operating system must employ a FIPS 140-2 approved cryptographic hashing algorithms for all created and stored passwords.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-219182 | UBTU-18-010110 | SV-219182r610963_rule | Medium |
| Description |
|---|
| The Ubuntu operating system must use a FIPS-compliant hashing algorithm to securely store the password. The FIPS-compliant hashing algorithm parameters must be selected in order to harden the system against offline attacks. |
| STIG | Date |
|---|---|
| Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide | 2020-12-09 |
Details
| Check Text ( C-20907r304874_chk ) |
|---|
| Verify that encrypted passwords stored in /etc/shadow use a strong cryptographic hash. Check that pam_unix.so auth is configured to use sha512 with the following command: # grep password /etc/pam.d/common-password | grep pam_unix password [success=1 default=ignore] pam_unix.so obscure sha512 If "sha512" is not an option of the output, or is commented out, this is a finding. Check that ENCRYPT_METHOD is set to sha512 in /etc/login.defs: # grep -i ENCRYPT_METHOD /etc/login.defs ENCRYPT_METHOD SHA512 If the output does not contain "sha512", or it is commented out, this is a finding. |
| Fix Text (F-20906r304875_fix) |
|---|
| Configure the Ubuntu operating system to encrypt all stored passwords with a strong cryptographic hash. Edit/modify the following line in the file "/etc/pam.d/common-password" file to include the sha512 option for pam_unix.so: password [success=1 default=ignore] pam_unix.so obscure sha512 Edit/modify /etc/login.defs and set "ENCRYPT_METHOD sha512". |