Profile Applicability:
• Level 1
Description:
The pam_unix module handles authentication using UNIX passwords. Configuring it to use a strong hashing algorithm such as SHA-512 enhances password security by making stored password hashes more resistant to brute-force and dictionary attacks.
Rationale:
Using a strong password hashing algorithm protects against password cracking by increasing computational difficulty for attackers attempting to recover plaintext passwords.
Impact:
Pros:
Enhances password storage security.
Supports compliance with security best practices and standards.
Cons:
May slightly increase authentication processing time.
Default Value:
Many modern Linux distributions use SHA-512 by default, but this should be verified.
Pre-requisites:
Root or sudo privileges to modify PAM configuration.
Remediation:
Test Plan:
Using Linux command line:
- Check PAM configuration files for the pam_unix hashing algorithm
grep pam_unix /etc/pam.d/system-auth grep pam_unix /etc/pam.d/common-password
Verify that sha512 is included in the module options.
Implementation Plan:
Using Linux command line:
1. Edit PAM password configuration file:
vi /etc/pam.d/system-auth
2. Add or ensure sha512 is included in the pam_unix line, for example:
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
3. Save the file.
Backout Plan:
Using Linux command line:
Remove or modify the hashing algorithm option if necessary.
Test password changes to confirm functionality.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
pam_unix Documentation