highaccess-controlverified ✓rollback-safe
Ensure strong password hashing algorithm is configured
password-hashing-algorithm · RHEL ≥ 8 · 1 impl
Description
The system should use a strong password hashing algorithm such as yescrypt or SHA512 for storing passwords.
Rationale
Weak hashing algorithms can be cracked more easily. Modern algorithms like yescrypt provide better resistance to brute-force attacks.
Check → Remediate
Checkcommand
encrypt=$(grep -E '^ENCRYPT_METHOD' /etc/login.defs 2>/dev/null | awk '{print $2}')
case "$encrypt" in
YESCRYPT|SHA512)
echo "OK: Password hashing algorithm is $encrypt"
exit 0
;;
"")
# CIS FAILs when ENCRYPT_METHOD is unset; do not assume a default.
echo "FAIL: ENCRYPT_METHOD not set in /etc/login.defs"
exit 1
;;
*)
echo "FAIL: Weak hashing algorithm: $encrypt"
exit 1
;;
esac
- expected_exit:
- 0
Remediateconfig_set
- path:
- /etc/login.defs
- key:
- ENCRYPT_METHOD
- value:
- YESCRYPT
- separator:
Framework references
CIS
rhel9 5.4.1.4rhel8 5.4.1.4rhel10 5.4.1.4
STIG
V-258231 / RHEL-09-671015V-230231
NIST 800-53
IA-5IA-5(1)(c)
Live verification
rhel10:checkrhel9:check
#password#hashing#encryption#security