Title

The operating system must store only encrypted representations of passwords. (Cat II impact)

Discussion

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Satisfies: SRG-OS-000073-GPOS-00041

Check Content

Verify the operating system stores only encrypted representations of passwords. If it does not, this is a finding. The "/etc/master.passwd" file must use SHA512 hahes. To check, first verify all passwords are hashed using a SHA algorithm: $ cat /etc/master.passwd # $FreeBSD: releng/10.4/etc/master.passwd 256366 2013-10-12 06:08:18Z rpaulo $ # toor:*:0:0::0:0:Bourne-again Superuser:/root: daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin operator:*:2:5::0:0:System &:/:/usr/sbin/nologin bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin smmsp:*:25:25::0:0:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin unbound:*:59:59::0:0:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin _pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin _dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin auditdistd:*:78:77::0:0:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin hast:*:845:845::0:0:HAST unprivileged user:/var/empty:/usr/sbin/nologin nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin jimbo:$6$2jEuW4XAaFWVN0FR$8jvpYm.c5lQk2BDq6MlhWuAcUBSXjpM/KFPRRUgima/9GBanbkWo6dCOO3THzXT8NTZJQSLTQYp/0d4wC5J080:1001:1001::0:0:Jim:/home/jimbo:/bin/sh Any user without a '*' in the second column has a password and that password must start with "$6$". To verify hashes are SHA512 and not SHA256, $ grep format /etc/login.conf :passwd_format=sha512:\ # :passwd_format=des:\ Ensure the not-commmented-out line indicates sha512.

Fix Text

Configure the operating system to store only encrypted representations of passwords.

Additional Identifiers

Rule ID:

Vulnerability ID: V-410

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.