← Rules Catalog
mediumaccess-controlunverified

Ensure libuser uses the SHA-512 crypt style

libuser-sha512 · RHEL ≥ 8 · 1 impl

Description

/etc/libuser.conf must set crypt_style = sha512 so accounts created via the libuser tooling store SHA-512 password hashes.

Rationale

A weaker libuser crypt_style would let some account-management paths write non-FIPS password hashes.

Check → Remediate

Checkcommand
[ -f /etc/libuser.conf ] || { echo "NOT APPLICABLE: libuser not installed"; exit 0; }
grep -qiE '^[[:space:]]*crypt_style[[:space:]]*=[[:space:]]*sha512' /etc/libuser.conf
expected_exit:
0
Remediateconfig_set
path:
/etc/libuser.conf
key:
crypt_style
value:
sha512
separator:
=

Framework references

STIG

V-281223 / RHEL-10-600750V-258116 / RHEL-09-611135

NIST 800-53

IA-5(1)
#libuser#hashing#sha512#stig