STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide

V-219182

CAT II (Medium)

The Ubuntu operating system must employ a FIPS 140-2 approved cryptographic hashing algorithms for all created and stored passwords.

Rule ID

SV-219182r971535_rule

STIG

Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide

Version

V2R15

CCIs

CCI-000803

Discussion

The Ubuntu operating system must use a FIPS-compliant hashing algorithm to securely store the password. The FIPS-compliant hashing algorithm parameters must be selected in order to harden the system against offline attacks.

Check Content

Verify that encrypted passwords stored in /etc/shadow use a strong cryptographic hash.

Check that pam_unix.so auth is configured to use sha512 with the following command:

# grep password /etc/pam.d/common-password | grep pam_unix

password [success=1 default=ignore] pam_unix.so obscure sha512

If "sha512" is not an option of the output, or is commented out, this is a finding.

Check that ENCRYPT_METHOD is set to sha512 in /etc/login.defs:

# grep -i ENCRYPT_METHOD /etc/login.defs

ENCRYPT_METHOD SHA512

If the output does not contain "sha512", or it is commented out, this is a finding.

Fix Text

Configure the Ubuntu operating system to encrypt all stored passwords with a strong cryptographic hash.

Edit/modify the following line in the file "/etc/pam.d/common-password" file to include the sha512 option for pam_unix.so:

password [success=1 default=ignore] pam_unix.so obscure sha512

Edit/modify /etc/login.defs and set "ENCRYPT_METHOD sha512".