highaccess-controlunverified
Ensure login.defs ENCRYPT_METHOD is SHA512 (RHEL 10 STIG)
password-encrypt-method-sha512 · RHEL ≥ 10 · 1 impl
Description
The RHEL 10 STIG requires /etc/login.defs ENCRYPT_METHOD to be "SHA512" so that the shadow file stores only SHA-512 encrypted password representations. This is stricter than the CIS benchmark (which also accepts YESCRYPT, the RHEL 10 default) — a host may satisfy CIS while failing this STIG requirement.
Rationale
FIPS 140-3 validated deployments require SHA-512 password hashing. Although YESCRYPT is cryptographically strong and is the RHEL 10 default, the STIG mandates SHA-512 specifically, so ENCRYPT_METHOD must be set to SHA512.
Check → Remediate
Checkcommand
m=$(grep -iE '^[[:space:]]*ENCRYPT_METHOD[[:space:]]' /etc/login.defs 2>/dev/null \
| awk '{print $2}' | tail -1)
if [ "$m" = "SHA512" ]; then
echo "OK: ENCRYPT_METHOD is SHA512"
exit 0
fi
echo "FAIL: ENCRYPT_METHOD is '${m:-unset}' (the RHEL 10 STIG requires SHA512)"
exit 1
- expected_exit:
- 0
Remediateconfig_set
- path:
- /etc/login.defs
- key:
- ENCRYPT_METHOD
- value:
- SHA512
- separator:
Framework references
STIG
V-281222 / RHEL-10-600740
NIST 800-53
IA-5(1)(c)IA-7
#password#hashing#sha512#login-defs#fips#stig