mediumaccess-controlverified ✓rollback-safe
Ensure SHA512 minimum rounds are configured for password hashing
shadow-hashing-rounds · RHEL ≥ 8 · 1 impl
Description
The SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS parameters in /etc/login.defs must be set to the minimum required number of rounds to increase the computational cost of password cracking.
Rationale
A higher number of hashing rounds makes offline password cracking more computationally expensive. Using fewer rounds than 100000 provides weaker protection against brute-force attacks on stolen password hashes.
Check → Remediate
Checkconfig_value
- delimiter:
- path:
- /etc/login.defs
- key:
- SHA_CRYPT_MIN_ROUNDS
- expected:
- {{ shadow_crypt_min_rounds }}
- comparator:
- >=
Remediateconfig_set
- path:
- /etc/login.defs
- key:
- SHA_CRYPT_MIN_ROUNDS
- value:
- {{ shadow_crypt_min_rounds }}
- separator:
Framework references
STIG
V-230233
NIST 800-53
IA-5(1)
Live verification
rhel8:check
#password#hashing#sha512#login-defs