SLEM 5 must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-261385	SLEM-05-611050	SV-261385r996586_rule		Medium

Description

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.

STIG	Date
SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide	2025-05-08

Details

Check Text (C-65114r996584_chk)

Verify SLEM 5 configures the Linux PAM to only store encrypted representations of passwords with the following command:

> grep pam_unix.so /etc/pam.d/common-password
password required pam_unix.so sha512

If the value "sha512" is not present in the line, the second column value is different from "requisite", the line is commented out, or the line is missing, this is a finding.

Fix Text (F-65022r996585_fix)

Configure SLEM 5 Linux PAM to only store encrypted representations of passwords. All account passwords must be hashed with SHA512 encryption strength.

Edit "/etc/pam.d/common-password" and edit the line containing "pam_unix.so" to contain the SHA512 keyword after third column. Remove the "nullok" option if it exists.