Title

The operating system must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. (Cat II impact)

Discussion

Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. Satisfies: SRG-OS-000120-GPOS-00061

Check Content

Inspect the "password" section of "/etc/pam.d/system", "/etc/pam.d/sshd", and "/etc/pam.d/passwd" other files in "/etc/pam.d" to identify the number of occurrences where the "pam_unix.so" module is used in the "password" section. $ grep -E -c 'password.*pam_unix.so' /etc/pam.d/* /etc/pam.d/README:0 /etc/pam.d/atrun:0 /etc/pam.d/cron:0 /etc/pam.d/ftp:0 /etc/pam.d/ftpd:0 /etc/pam.d/imap:0 /etc/pam.d/login:0 /etc/pam.d/other:0 /etc/pam.d/passwd:1 /etc/pam.d/pop3:0 /etc/pam.d/rsh:0 /etc/pam.d/sshd:1 /etc/pam.d/su:0 /etc/pam.d/system:1 /etc/pam.d/telnetd:1 /etc/pam.d/xdm:0 Note: The number adjacent to the file name indicates how many occurrences of the "pam_unix.so" module are found in the password section. If the "pam_unix.so" module is not defined in the "password" section of "system," "sshd", and "passwd" at a minimum, this is a finding. In addition, the "/etc/master.passwd" file must use SHA512 hahes. To check, first verify all passwords are hashed using a SHA algorithm: $ cat /etc/master.passwd # $FreeBSD: releng/10.4/etc/master.passwd 256366 2013-10-12 06:08:18Z rpaulo $ # toor:*:0:0::0:0:Bourne-again Superuser:/root: daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin operator:*:2:5::0:0:System &:/:/usr/sbin/nologin bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin smmsp:*:25:25::0:0:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin unbound:*:59:59::0:0:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin _pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin _dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin auditdistd:*:78:77::0:0:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin hast:*:845:845::0:0:HAST unprivileged user:/var/empty:/usr/sbin/nologin nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin jimbo:$6$2jEuW4XAaFWVN0FR$8jvpYm.c5lQk2BDq6MlhWuAcUBSXjpM/KFPRRUgima/9GBanbkWo6dCOO3THzXT8NTZJQSLTQYp/0d4wC5J080:1001:1001::0:0:Jim:/home/jimbo:/bin/sh Any user without a '*' in the second column has a password and that password must start with "$6$". To verify hashes are SHA512 and not SHA256, $ cat /etc/login.conf | grep format :passwd_format=sha512:\ # :passwd_format=des:\ Ensure the not-commmented-out line indicates sha512.

Fix Text

Configure the operating system to use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.

Additional Identifiers

Rule ID:

Vulnerability ID: V-610

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.