← Rules Catalog
mediumaccess-controlverified rollback-safe

Ensure SHA512 minimum rounds are configured for password hashing

shadow-hashing-rounds · RHEL ≥ 8 · 1 impl

Description

The SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS parameters in /etc/login.defs must be set to the minimum required number of rounds to increase the computational cost of password cracking.

Rationale

A higher number of hashing rounds makes offline password cracking more computationally expensive. Using fewer rounds than 100000 provides weaker protection against brute-force attacks on stolen password hashes.

Check → Remediate

Checkconfig_value
delimiter:
path:
/etc/login.defs
key:
SHA_CRYPT_MIN_ROUNDS
expected:
{{ shadow_crypt_min_rounds }}
comparator:
>=
Remediateconfig_set
path:
/etc/login.defs
key:
SHA_CRYPT_MIN_ROUNDS
value:
{{ shadow_crypt_min_rounds }}
separator:

Framework references

STIG

V-230233

NIST 800-53

IA-5(1)

Live verification

rhel8:check
#password#hashing#sha512#login-defs