Check: GEN000590
HP-UX 11.31 STIG:
GEN000590
(in versions v1 r19 through v1 r18)
Title
The system must use a FIPS 140-2-approved cryptographic hashing algorithm for generating account password hashes. (Cat II impact)
Discussion
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2-approved successors. The use of unapproved algorithms may result in weak password hashes that are more vulnerable to compromise.
Check Content
For Trusted Mode: MD5 is currently the only available hashing function. Per vendor documentation, this algorithm will not be updated, due to TS being deprecated/replaced by SMSE. For SMSE: Check the system password for use of cryptographic hashes using the SHA-2 family of algorithms or FIPS 140-2-approved successors. # egrep “CRYPT_ALGORITHMS_DEPRECATE|CRYPT_DEFAULT” /etc/default/security The following is an example output from the above command: CRYPT_ALGORITHMS_DEPRECATE=__unix__ CRYPT_DEFAULT=6 If the attributes “CRYPT_ALGORITHMS_DEPRECATE” and “CRYPT_DEFAULT” are not set per the above example output, this is a finding.
Fix Text
For Trusted Mode: Note: There is no fix for Trusted Mode/Systems (TS). MD5 is currently used, and per vendor documentation, this algorithm will not be updated due to TS being deprecated/replaced by SMSE. For SMSE: Note: There may be additional package/bundle updates that must be installed to support attributes in the /etc/default/security file. Use the SAM/SMH interface (/etc/default/security file) to update the attribute. See the below example: CRYPT_ALGORITHMS_DEPRECATE=__unix__ CRYPT_DEFAULT=6 If manually editing the /etc/default/security file, save any change(s) before exiting the editor.
Additional Identifiers
Rule ID: SV-52489r3_rule
Vulnerability ID: V-22303
Group Title: GEN000590
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000803 |
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. |
Controls
Number | Title |
---|---|
IA-7 |
Cryptographic Module Authentication |