CCE-99404-6Platform: cpe:/o:debian:debian_linux:11.x, cpe:/o:ubuntu:ubuntu_linux:22.04, cpe:/o:ubuntu:ubuntu_linux:23.04 | Date: (C)2023-02-09 (M)2023-09-01 |
Description: The commands below set password encryption to `yescrypt` (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm. Rationale: The yescrypt algorithm provides much stronger hashing than previous available
algorithms, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords.Note that these change only apply to accounts configured on the local system. Audit: Run the following commands and ensure that yescrypt option is included as ENCRYPTION_METHOD and no hashing algorithm is set for pam_unix.so module :# grep -E 'grep -v ^# /etc/pam.d/common-password | grep -E `(yescrypt|md5|bigcrypt|sha256|sha512|blowfish)$'Output should be similar to:password [success=1 default=ignore] pam_unix.so obscure Remediation: Edit the `/etc/pam.d/common-password` file to remove the `yescrypt|md5|bigcrypt|sha256|sha512|blowfish` option for `pam_unix.so` as shown:password [success=1 default=ignore] pam_unix.so.
Parameter:
[yes/no]
Technical Mechanism:
Edit /etc/pam.d/common-password file to ensure no hashing algorithm is set for pam_unix.so
Edit /etc/login.defs file to set ENCRYPTION_METHOD to yescrypt.
CCSS Severity: | CCSS Metrics: |
CCSS Score : 8.1 | Attack Vector: NETWORK |
Exploit Score: 2.2 | Attack Complexity: HIGH |
Impact Score: 5.9 | Privileges Required: NONE |
Severity: HIGH | User Interaction: NONE |
Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:85214 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:87268 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:92198 |