← Rules Catalog
mediumaccess-controlverified rollback-safe

Ensure pam_unix includes a strong password hashing algorithm

pam-password-sha512 · RHEL ≥ 8 · 1 impl

Description

PAM must use a strong password hashing algorithm (SHA-512).

Rationale

Weak hashing algorithms allow faster offline cracking of password hashes.

Check → Remediate

Checkcommand
# BOTH the system-auth and password-auth stacks must configure pam_unix.so
# with sha512: V-281217 targets password-auth and V-281219 targets
# system-auth (and rhel8 V-244524/V-230237 + CIS require both). A single
# multi-file grep only matches ANY, which false-PASSes a host configuring
# one file but not the other. A stack is satisfied if the file has the
# line directly OR pulls it in via substack/include of another pam file
# (rhel9 V-258233 explicitly exempts the substacked-from-system-auth case).
stack_has_sha512() {
  f=/etc/pam.d/$1
  [ -f "$f" ] || return 1
  grep -qE '^[[:space:]]*password.*pam_unix\.so.*sha512' "$f" 2>/dev/null && return 0
  for inc in $(awk '/^[[:space:]]*(password[[:space:]]+)?(substack|include)[[:space:]]/ {print $NF}' "$f" 2>/dev/null); do
    grep -qE '^[[:space:]]*password.*pam_unix\.so.*sha512' "/etc/pam.d/$inc" 2>/dev/null && return 0
  done
  return 1
}
for stack in system-auth password-auth; do
  stack_has_sha512 "$stack" || {
    echo "FAIL: the $stack stack does not configure pam_unix.so with sha512 (directly or via substack)"
    exit 1
  }
done
echo "OK: system-auth and password-auth stacks both configure pam_unix.so with sha512"
exit 0
expected_exit:
0
Remediatepam_module_arg
action:
ensure
module:
pam_unix.so
arg:
sha512
type:
password
files:
/etc/pam.d/system-auth, /etc/pam.d/password-auth

Framework references

CIS

rhel9 5.3.3.4.3rhel10 5.3.2.4.3rhel8 5.3.3.4.3

STIG

V-281217 / RHEL-10-600650V-281219 / RHEL-10-600710V-258233 / RHEL-09-671025V-244524 / RHEL-08-010159V-230237 / RHEL-08-010160

NIST 800-53

IA-5IA-7

Live verification

rhel10:checkrhel8:checkrhel9:check
#pam#password#hashing