You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is no Ansible task checking for the above control item.
SCAP Security Guide Version:
Looking at the official RHEL7 stig Ansible playbook sources, there is nothing that checks for RHEL-07-010200.
Additional Information/Debugging Steps:
This is the text copied from the SAR template RedHat_Ent_Linux_7_STIG_230421 sheet, for item RHEL-07-010200.
Requirement
The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.
Vulnerability
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.
Checks
"Verify the PAM system service is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512.
Check that the system is configured to create SHA512 hashed passwords with the following command:
Outcome should look like following:
/etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
/etc/pam.d/password-auth:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
If the ""/etc/pam.d/system-auth"" and ""/etc/pam.d/password-auth"" configuration files allow for password hashes other than SHA512 to be used, this is a finding."
Fixes
"Configure the operating system to store only SHA512 encrypted representations of passwords.
Add the following line in ""/etc/pam.d/system-auth"":
pam_unix.so sha512 shadow try_first_pass use_authtok
Add the following line in ""/etc/pam.d/password-auth"":
pam_unix.so sha512 shadow try_first_pass use_authtok
Note: Manual changes to the listed files may be overwritten by the ""authconfig"" program. The ""authconfig"" program should not be used to update the configurations listed in this requirement."
The text was updated successfully, but these errors were encountered:
Description of problem:
There is no Ansible task checking for the above control item.
SCAP Security Guide Version:
Looking at the official RHEL7 stig Ansible playbook sources, there is nothing that checks for RHEL-07-010200.
Additional Information/Debugging Steps:
This is the text copied from the SAR template RedHat_Ent_Linux_7_STIG_230421 sheet, for item RHEL-07-010200.
Requirement
The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.
Vulnerability
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.
Checks
"Verify the PAM system service is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512.
Check that the system is configured to create SHA512 hashed passwords with the following command:
Outcome should look like following:
/etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
/etc/pam.d/password-auth:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
If the ""/etc/pam.d/system-auth"" and ""/etc/pam.d/password-auth"" configuration files allow for password hashes other than SHA512 to be used, this is a finding."
Fixes
"Configure the operating system to store only SHA512 encrypted representations of passwords.
Add the following line in ""/etc/pam.d/system-auth"":
pam_unix.so sha512 shadow try_first_pass use_authtok
Add the following line in ""/etc/pam.d/password-auth"":
pam_unix.so sha512 shadow try_first_pass use_authtok
Note: Manual changes to the listed files may be overwritten by the ""authconfig"" program. The ""authconfig"" program should not be used to update the configurations listed in this requirement."
The text was updated successfully, but these errors were encountered: