Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RHEL7 STIG: Missing check for RHEL-07-010200 #7421

Closed
Apteryks opened this issue Aug 19, 2021 · 0 comments · Fixed by #9097
Closed

RHEL7 STIG: Missing check for RHEL-07-010200 #7421

Apteryks opened this issue Aug 19, 2021 · 0 comments · Fixed by #9097
Labels
Ansible Ansible remediation update. RHEL7 Red Hat Enterprise Linux 7 product related. STIG STIG Benchmark related.
Milestone
0.1.63

Comments

@Apteryks
Copy link

Description of problem:

There is no Ansible task checking for the above control item.

SCAP Security Guide Version:

Looking at the official RHEL7 stig Ansible playbook sources, there is nothing that checks for RHEL-07-010200.

Additional Information/Debugging Steps:

This is the text copied from the SAR template RedHat_Ent_Linux_7_STIG_230421 sheet, for item RHEL-07-010200.

Requirement

The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.

Vulnerability

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.

Checks

"Verify the PAM system service is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512.

Check that the system is configured to create SHA512 hashed passwords with the following command:

# grep password /etc/pam.d/system-auth /etc/pam.d/password-auth

Outcome should look like following:
/etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
/etc/pam.d/password-auth:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok

If the ""/etc/pam.d/system-auth"" and ""/etc/pam.d/password-auth"" configuration files allow for password hashes other than SHA512 to be used, this is a finding."

Fixes

"Configure the operating system to store only SHA512 encrypted representations of passwords.

Add the following line in ""/etc/pam.d/system-auth"":
pam_unix.so sha512 shadow try_first_pass use_authtok

Add the following line in ""/etc/pam.d/password-auth"":
pam_unix.so sha512 shadow try_first_pass use_authtok

Note: Manual changes to the listed files may be overwritten by the ""authconfig"" program. The ""authconfig"" program should not be used to update the configurations listed in this requirement."
@marcusburghardt marcusburghardt mentioned this issue Jul 6, 2022
Merged
@marcusburghardt marcusburghardt added Ansible Ansible remediation update. RHEL7 Red Hat Enterprise Linux 7 product related. STIG STIG Benchmark related. labels Jul 6, 2022
@marcusburghardt marcusburghardt added this to the 0.1.63 milestone Jul 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Ansible Ansible remediation update. RHEL7 Red Hat Enterprise Linux 7 product related. STIG STIG Benchmark related.
Projects
None yet
Milestone
0.1.63
Development

Successfully merging a pull request may close this issue.

Refactor Ansible macros for PAM marcusburghardt/content
2 participants
@marcusburghardt @Apteryks