← Back to SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide

V-261385

CAT II (Medium)

SLEM 5 must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.

Rule ID

SV-261385r996586_rule

STIG

SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide

Version

V1R4

CCIs

CCI-000196

Discussion

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.

Check Content

Verify SLEM 5 configures the Linux PAM to only store encrypted representations of passwords with the following command:

     > grep pam_unix.so /etc/pam.d/common-password
     password required pam_unix.so sha512

If the value "sha512" is not present in the line, the second column value is different from "requisite", the line is commented out, or the line is missing, this is a finding.

Fix Text

Configure SLEM 5 Linux PAM to only store encrypted representations of passwords. All account passwords must be hashed with SHA512 encryption strength.

Edit "/etc/pam.d/common-password" and edit the line containing "pam_unix.so" to contain the SHA512 keyword after third column. Remove the "nullok" option if it exists.