← Rules Catalog
highaccess-controlunverified

Ensure login.defs ENCRYPT_METHOD is SHA512 (RHEL 10 STIG)

password-encrypt-method-sha512 · RHEL ≥ 10 · 1 impl

Description

The RHEL 10 STIG requires /etc/login.defs ENCRYPT_METHOD to be "SHA512" so that the shadow file stores only SHA-512 encrypted password representations. This is stricter than the CIS benchmark (which also accepts YESCRYPT, the RHEL 10 default) — a host may satisfy CIS while failing this STIG requirement.

Rationale

FIPS 140-3 validated deployments require SHA-512 password hashing. Although YESCRYPT is cryptographically strong and is the RHEL 10 default, the STIG mandates SHA-512 specifically, so ENCRYPT_METHOD must be set to SHA512.

Check → Remediate

Checkcommand
m=$(grep -iE '^[[:space:]]*ENCRYPT_METHOD[[:space:]]' /etc/login.defs 2>/dev/null \
      | awk '{print $2}' | tail -1)
if [ "$m" = "SHA512" ]; then
  echo "OK: ENCRYPT_METHOD is SHA512"
  exit 0
fi
echo "FAIL: ENCRYPT_METHOD is '${m:-unset}' (the RHEL 10 STIG requires SHA512)"
exit 1
expected_exit:
0
Remediateconfig_set
path:
/etc/login.defs
key:
ENCRYPT_METHOD
value:
SHA512
separator:

Framework references

STIG

V-281222 / RHEL-10-600740

NIST 800-53

IA-5(1)(c)IA-7
#password#hashing#sha512#login-defs#fips#stig