Amazon Linux 2023 password-auth must be configured to use a sufficient number of hashing rounds.

STIG ID: AZLX-23-002490  |  SRG: SRG-OS-000073-GPOS-00041 |  Severity: medium (CAT II)  |  CCI: CCI-004062,CCI-000803 |  Vulnerability Id: V-274162

Vulnerability Discussion

Unapproved mechanisms, used for authentication to the cryptographic module are not verified and therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised.

Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.

FIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.

Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061

Check

Verify Amazon Linux 2023 has the required number of rounds for the password hashing algorithm is configured in password-auth with the following command:

$ sudo grep rounds /etc/pam.d/password-auth
password sufficient pam_unix.so sha512 rounds=100000

If a matching line is not returned or "rounds" is less than "100000", this a finding.

Fix

Configure Amazon Linux 2023 to use 100000 hashing rounds for hashing passwords.

Add or modify the following line in "/etc/pam.d/password-auth" and set "rounds" to "100000".

password sufficient pam_unix.so sha512 rounds=100000
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.