The TOSS 5 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3-approved cryptographic hashing algorithm for system authentication.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-282461 | SRG-OS-000073-GPOS-00041 | TOSS-05-000467 | SV-282461r1200363_rule | 2026-04-01 | 1 |
Description
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and; therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised.
TOSS 5 systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.
ℹ️ Check
Verify the pam_unix.so module is configured to use sha512 in /etc/pam.d/password-auth using the following command:
$ grep "^password.*pam_unix.so.*sha512" /etc/pam.d/password-auth
password sufficient pam_unix.so sha512
If "sha512" is missing, or the line is commented out, this is a finding.
✔️ Fix
Configure TOSS 5 to use a FIPS 140-3-approved cryptographic hashing algorithm for system authentication.
Edit or modify the following line in the "/etc/pam.d/password-auth" file to include the sha512 option for pam_unix.so:
password sufficient pam_unix.so sha512