Check: GEN000595
AIX 5.3 STIG:
GEN000595
(in version v1 r3)
Title
The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm. (Cat II impact)
Discussion
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes that are more vulnerable to compromise.
Check Content
Verify no password hashes in /etc/passwd. # cat /etc/passwd | cut -f2,2 -d":" If there are password hashes present, this is a finding. Verify all password hashes in /etc/security/passwd begin with {ssha256} or {ssha512}. Procedure: # cat /etc/passwd | cut -f2,2 -d ":" # cat /etc/security/passwd | grep password If any password hashes are present not beginning with {ssha256} or {ssha512}, this is a finding.
Fix Text
Change the passwords for all accounts using non-compliant password hashes. # passwd account OR # smitty passwd (This requires that GEN000590 is already met.)
Additional Identifiers
Rule ID: SV-38672r1_rule
Vulnerability ID: V-22304
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000196 |
The information system, for password-based authentication, stores only cryptographically-protected passwords. |
Controls
Number | Title |
---|---|
IA-5 (1) |
Password-Based Authentication |