mediumaccess-controlunverified
Ensure libuser uses the SHA-512 crypt style
libuser-sha512 · RHEL ≥ 8 · 1 impl
Description
/etc/libuser.conf must set crypt_style = sha512 so accounts created via the libuser tooling store SHA-512 password hashes.
Rationale
A weaker libuser crypt_style would let some account-management paths write non-FIPS password hashes.
Check → Remediate
Checkcommand
[ -f /etc/libuser.conf ] || { echo "NOT APPLICABLE: libuser not installed"; exit 0; }
grep -qiE '^[[:space:]]*crypt_style[[:space:]]*=[[:space:]]*sha512' /etc/libuser.conf
- expected_exit:
- 0
Remediateconfig_set
- path:
- /etc/libuser.conf
- key:
- crypt_style
- value:
- sha512
- separator:
- =
Framework references
STIG
V-281223 / RHEL-10-600750V-258116 / RHEL-09-611135
NIST 800-53
IA-5(1)
#libuser#hashing#sha512#stig