Check: GEN000585
AIX 5.3 STIG:
GEN000585
(in version v1 r3)
Title
The system must enforce the entire password during authentication. (Cat II impact)
Discussion
Some common password hashing schemes only process the first eight characters of a user's password, which reduces the effective strength of the password.
Check Content
Verify no password hashes in /etc/passwd. # cat /etc/passwd | cut -f2,2 -d":" If there are password hashes present, this is a finding. Verify no password hashes in the /etc/security/passwd file begin with the characters other than {ssha256} or {ssha512} #cat /etc/security/passwd | grep password If there are password hashes that do not begin with {ssha256} or {ssha512}, this is a finding.
Fix Text
Configure the system to enforce the correctness of the entire password during authentication. Configure the system to use sha password hashing. #chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha256
Additional Identifiers
Rule ID: SV-38769r1_rule
Vulnerability ID: V-22302
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000205 |
The information system enforces minimum password length. |
Controls
Number | Title |
---|---|
IA-5 (1) |
Password-Based Authentication |