mirror of
https://github.com/projectdiscovery/nuclei-templates.git
synced 2026-02-09 20:23:21 +08:00
48 lines
1.8 KiB
YAML
48 lines
1.8 KiB
YAML
id: strong-password-hashing
|
|
|
|
info:
|
|
name: Ensure Strong Password Hashing Algorithm is Configured
|
|
author: Th3l0newolf
|
|
severity: high
|
|
description: |
|
|
The ENCRYPT_METHOD setting in /etc/login.defs specifies the algorithm used to hash passwords.It should be set to SHA512 or yescrypt, as weaker algorithms may expose passwords to brute-force attacks.
|
|
remediation: |
|
|
Edit /etc/login.defs and set ENCRYPT_METHOD to either SHA512 or yescrypt.Verify with: grep -Pi -- '^\h*ENCRYPT_METHOD\h+(SHA512|yescrypt)\b' /etc/login.defs
|
|
reference:
|
|
- https://www.cisecurity.org/benchmark/ubuntu_linux
|
|
metadata:
|
|
verified: true
|
|
tags: cis,cisecurity,audit,linux,ubuntu,password
|
|
|
|
self-contained: true
|
|
|
|
code:
|
|
- engine:
|
|
- bash
|
|
|
|
args:
|
|
- "-c"
|
|
- |
|
|
HASH_METHOD_LINE=$(grep -Pi -- '^\h*ENCRYPT_METHOD\h+(SHA512|yescrypt)\b' /etc/login.defs | head -n1)
|
|
if [ -n "$HASH_METHOD_LINE" ]; then
|
|
VALUE=$(echo "$HASH_METHOD_LINE" | awk '{print $2}' | tr '[:upper:]' '[:lower:]')
|
|
if [ "$VALUE" = "sha512" ] || [ "$VALUE" = "yescrypt" ]; then
|
|
echo "[strong-password-hashing-check:Policy-Pass] [ENCRYPT_METHOD is $VALUE (valid)] [CIS_PASS]"
|
|
else
|
|
echo "[strong-password-hashing-check:Policy-Fail] [ENCRYPT_METHOD is $VALUE (invalid)] [CIS_FAIL]"
|
|
fi
|
|
else
|
|
echo "[strong-password-hashing-check:Policy-Fail] [ENCRYPT_METHOD not set or malformed] [CIS_FAIL]"
|
|
fi
|
|
|
|
matchers:
|
|
- type: word
|
|
name: policy-pass
|
|
words:
|
|
- "Policy-Pass"
|
|
|
|
- type: word
|
|
name: policy-fail
|
|
words:
|
|
- "Policy-Fail"
|
|
# digest: 4b0a00483046022100b916556b5fec405c612a0c48a889614de0f784e572362081b7e8faefd741d832022100f7d22b4851ad37c992e4502868aab9e9d10faf02def41d75ef0d65da2d021eaa:922c64590222798bb761d5b6d8e72950 |