From f3e1cc97dc0095096ceec1a038b76f156a60ac43 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Fri, 20 Dec 2024 12:12:59 -0600 Subject: [PATCH] Update set_password_hashing_algorithm_passwordauth for RHEL 10 STIG --- .../policy/stig/rhel10.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/policy/stig/rhel10.yml diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/policy/stig/rhel10.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/policy/stig/rhel10.yml new file mode 100644 index 00000000000..b8b8afdefc0 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/policy/stig/rhel10.yml @@ -0,0 +1,27 @@ +srg_requirement: |- + {{{ full_name }}} pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication. + +fixtext: |- + Configure {{{ full_name }}} to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication. + + Edit/modify the following line in the "/etc/pam.d/password-auth" file to include the yescrypt option for pam_unix.so: + + password sufficient pam_unix.so yescrypt + +checktext: |- + Verify that the pam_unix.so module is configured to use yescrypt in /etc/pam.d/password-auth with the following command: + + $ grep "^password.*pam_unix.so.*yescrypt" /etc/pam.d/password-auth + + password sufficient pam_unix.so yescrypt + + If "yescrypt" is missing, or the line is commented out, this is a finding. + + + +vuldiscussion: |- + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and; therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. + + {{{ full_name }}} systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + + FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.