← Back to Amazon Linux 2023 Security Technical Implementation Guide

V-274162

CAT II (Medium)

Amazon Linux 2023 password-auth must be configured to use a sufficient number of hashing rounds.

Rule ID

SV-274162r1120474_rule

STIG

Amazon Linux 2023 Security Technical Implementation Guide

Version

V1R3

CCIs

CCI-004062, CCI-000803

Discussion

Unapproved mechanisms, used for authentication to the cryptographic module are not verified and therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061

Check Content

Verify Amazon Linux 2023 has the required number of rounds for the password hashing algorithm is configured in password-auth with the following command:

$ sudo grep rounds /etc/pam.d/password-auth
password sufficient pam_unix.so sha512 rounds=100000

If a matching line is not returned or "rounds" is less than "100000", this a finding.

Fix Text

Configure Amazon Linux 2023 to use 100000 hashing rounds for hashing passwords.

Add or modify the following line in "/etc/pam.d/password-auth" and set "rounds" to "100000".

password sufficient pam_unix.so sha512 rounds=100000