← Rules Catalog
mediumaccess-controlverified rollback-safe

Configure sufficient SHA-512 hashing rounds in password-auth

pam-sha512-rounds-password-auth · RHEL ≥ 8 · 1 impl

Description

The pam_unix module in /etc/pam.d/password-auth must be configured to use a sufficient number of SHA-512 hashing rounds (at least 100000) to increase the computational cost of password cracking.

Rationale

Using a low number of hashing rounds makes it easier for attackers to crack password hashes offline. Configuring 100000 or more rounds significantly increases the time required for brute-force attacks.

Check → Remediate

Checkcommand
rounds=$(grep -Po '(?<=rounds=)[0-9]+' /etc/pam.d/password-auth 2>/dev/null | head -1)
[ -n "$rounds" ] && [ "$rounds" -ge {{ shadow_crypt_min_rounds }} ]
expected_exit:
0
Remediateconfig_set
path:
/etc/login.defs
key:
SHA_CRYPT_MIN_ROUNDS
value:
5000

Framework references

STIG

V-281220 / RHEL-10-600720V-258099 / RHEL-09-611050

NIST 800-53

IA-5(1)(c)

Live verification

rhel9:check
#pam#password#sha512#hashing#password-auth