漏洞描述
The ENCRYPT_METHOD setting in /etc/login.defs specifies the algorithm used to hash passwords.It should be set to SHA512 or yescrypt, as weaker algorithms may expose passwords to brute-force attacks.
strong-password-hashing: Ensure Strong Password Hashing Algorithm is Configured
PoC代码[已公开]
id: strong-password-hashing
info:
name: Ensure Strong Password Hashing Algorithm is Configured
author: Th3l0newolf
severity: high
description: |
The ENCRYPT_METHOD setting in /etc/login.defs specifies the algorithm used to hash passwords.It should be set to SHA512 or yescrypt, as weaker algorithms may expose passwords to brute-force attacks.
remediation: |
Edit /etc/login.defs and set ENCRYPT_METHOD to either SHA512 or yescrypt.Verify with: grep -Pi -- '^\h*ENCRYPT_METHOD\h+(SHA512|yescrypt)\b' /etc/login.defs
reference:
- https://www.cisecurity.org/benchmark/ubuntu_linux
metadata:
verified: true
tags: cis,local,cisecurity,audit,linux,ubuntu,password
self-contained: true
code:
- engine:
- bash
args:
- "-c"
- |
HASH_METHOD_LINE=$(grep -Pi -- '^\h*ENCRYPT_METHOD\h+(SHA512|yescrypt)\b' /etc/login.defs | head -n1)
if [ -n "$HASH_METHOD_LINE" ]; then
VALUE=$(echo "$HASH_METHOD_LINE" | awk '{print $2}' | tr '[:upper:]' '[:lower:]')
if [ "$VALUE" = "sha512" ] || [ "$VALUE" = "yescrypt" ]; then
echo "[strong-password-hashing-check:Policy-Pass] [ENCRYPT_METHOD is $VALUE (valid)] [CIS_PASS]"
else
echo "[strong-password-hashing-check:Policy-Fail] [ENCRYPT_METHOD is $VALUE (invalid)] [CIS_FAIL]"
fi
else
echo "[strong-password-hashing-check:Policy-Fail] [ENCRYPT_METHOD not set or malformed] [CIS_FAIL]"
fi
matchers:
- type: word
name: policy-pass
words:
- "Policy-Pass"
- type: word
name: policy-fail
words:
- "Policy-Fail"
# digest: 4a0a00473045022100cd6bf4ce19f4fb0e8d029237a76e2574dd9d82278c7a528d5f633f2f6201bc29022053f3b756734482a237fa8af52147eb59164c143c06d425727c1ddb5b4ad4340c:922c64590222798bb761d5b6d8e72950