mediumaccess-controlverified ✓rollback-safe
Ensure pam_unix includes a strong password hashing algorithm
pam-password-sha512 · RHEL ≥ 8 · 1 impl
Description
PAM must use a strong password hashing algorithm (SHA-512).
Rationale
Weak hashing algorithms allow faster offline cracking of password hashes.
Check → Remediate
Checkcommand
# BOTH the system-auth and password-auth stacks must configure pam_unix.so
# with sha512: V-281217 targets password-auth and V-281219 targets
# system-auth (and rhel8 V-244524/V-230237 + CIS require both). A single
# multi-file grep only matches ANY, which false-PASSes a host configuring
# one file but not the other. A stack is satisfied if the file has the
# line directly OR pulls it in via substack/include of another pam file
# (rhel9 V-258233 explicitly exempts the substacked-from-system-auth case).
stack_has_sha512() {
f=/etc/pam.d/$1
[ -f "$f" ] || return 1
grep -qE '^[[:space:]]*password.*pam_unix\.so.*sha512' "$f" 2>/dev/null && return 0
for inc in $(awk '/^[[:space:]]*(password[[:space:]]+)?(substack|include)[[:space:]]/ {print $NF}' "$f" 2>/dev/null); do
grep -qE '^[[:space:]]*password.*pam_unix\.so.*sha512' "/etc/pam.d/$inc" 2>/dev/null && return 0
done
return 1
}
for stack in system-auth password-auth; do
stack_has_sha512 "$stack" || {
echo "FAIL: the $stack stack does not configure pam_unix.so with sha512 (directly or via substack)"
exit 1
}
done
echo "OK: system-auth and password-auth stacks both configure pam_unix.so with sha512"
exit 0
- expected_exit:
- 0
Remediatepam_module_arg
- action:
- ensure
- module:
- pam_unix.so
- arg:
- sha512
- type:
- password
- files:
- /etc/pam.d/system-auth, /etc/pam.d/password-auth
Framework references
CIS
rhel9 5.3.3.4.3rhel10 5.3.2.4.3rhel8 5.3.3.4.3
STIG
V-281217 / RHEL-10-600650V-281219 / RHEL-10-600710V-258233 / RHEL-09-671025V-244524 / RHEL-08-010159V-230237 / RHEL-08-010160
NIST 800-53
IA-5IA-7
Live verification
rhel10:checkrhel8:checkrhel9:check
#pam#password#hashing