Amazon Linux 2023 system-auth must be configured to use a sufficient number of hashing rounds.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-274163 | SRG-OS-000073-GPOS-00041 | AZLX-23-002495 | SV-274163r1120477_rule | 2025-07-15 | 1 |
| Description |
|---|
| Unapproved mechanisms used for authentication to the cryptographic module are not verified and therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061 |
| ℹ️ Check |
|---|
| Verify Amazon Linux 2023 has the required number of rounds for the password hashing algorithm is configured in system-auth with the following command: $ sudo grep rounds /etc/pam.d/system-auth password sufficient pam_unix.so sha512 rounds=100000 If a matching line is not returned or "rounds" is less than "100000", this a finding. |
| ✔️ Fix |
|---|
| Configure Amazon Linux 2023 to use 100000 hashing rounds for hashing passwords. Add or modify the following line in "/etc/pam.d/system-auth" and set "rounds" to "100000". password sufficient pam_unix.so sha512 rounds=100000 |