← Rules Catalog
mediumaccess-controlunverified

Ensure stored passwords use the SHA-512 hashing algorithm

shadow-password-sha512 · RHEL ≥ 8 · 1 impl

Description

Every interactive account with a password in /etc/shadow must store it as a SHA-512 hash (a field beginning with $6$). Accounts that are locked or have no password ($!, $*, or empty) are not evaluated.

Rationale

Weaker hash algorithms (MD5, SHA-256, or DES) are more susceptible to offline cracking. SHA-512 is the FIPS-approved algorithm required for stored authenticators on RHEL 8.

Check → Remediate

Checkcommand
fail=0
while IFS=: read -r user hash _; do
  case "$hash" in
    ''|'!'*|'*'*) continue ;;   # no password / locked — not evaluated
    '$6$'*) continue ;;         # SHA-512 — compliant
    *) echo "FAIL: $user has a non-SHA-512 password hash"; fail=1 ;;
  esac
done < /etc/shadow
if [ "$fail" -eq 0 ]; then
  echo "OK: all stored passwords use SHA-512"
  exit 0
fi
exit 1
expected_exit:
0
Remediatemanual
note:
Force affected accounts to reset their password so it is re-hashed with SHA-512 (ensure ENCRYPT_METHOD SHA512 is set in /etc/login.defs first): passwd --expire <user> or lock accounts that should not have a password: passwd -l <user>

Framework references

STIG

V-281221 / RHEL-10-600730V-230232 / RHEL-08-010120

NIST 800-53

IA-5
#passwords#hashing#sha512#fips#shadow#stig