OpenControls Logo

STIG Viewer

RHEL 10 must ensure that the pam_unix.so module is configured in the password-auth file to use a FIPS 140-3-approved cryptographic hashing algorithm for system authentication.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-281217RHEL-10-600650SV-281217r1195450_ruleCCI-004062medium
Description
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified; therefore, they cannot be relied on to provide confidentiality or integrity, and DOD data may be compromised. RHEL 10 systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
STIGDate
Red Hat Enterprise Linux 10 Security Technical Implementation Guide2026-03-11

Related Frameworks

6 paths across 3 frameworks
NIST 800-531 mapping
IA-5(1)
1.00
  • DISA · V1R1 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1714 mappings
3.5.10
1.00
  • DISA · V1R1 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.5.7
1.00
  • DISA · V1R1 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.5.8
1.00
  • DISA · V1R1 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.5.9
1.00
  • DISA · V1R1 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-004062
1.00
  • DISA · V1R1 · disa_xccdf · related

Details

Check Text (C-281217r1195450_chk)

Verify RHEL 10 configures the pam_unix.so module to use sha512 in "/etc/pam.d/password-auth" with the following command: $ sudo grep "^password.*pam_unix.so.*sha512" /etc/pam.d/password-auth password sufficient pam_unix.so sha512 If "sha512" is missing, or the line is commented out, this is a finding.

Fix Text (F-85683r1195449_fix)

Configure RHEL 10 to use the sha512 cryptographic hashing algorithm for local account passwords. Edit/modify the following line in the "/etc/pam.d/password-auth" file to include the sha512 option for pam_unix.so: password sufficient pam_unix.so sha512