Check: GEN001470
HP-UX 11.31 STIG:
GEN001470
(in versions v1 r19 through v1 r13)
Title
The /etc/passwd file must not contain password hashes. (Cat II impact)
Discussion
If password hashes are readable by non-administrators, the passwords are subject to attack through lookup tables or cryptographic weaknesses in the hashes.
Check Content
Verify no password hashes are present in /etc/passwd. # cat /etc/passwd | cut -f 2,2 -d “:” If any password hashes are returned, this is a finding.
Fix Text
Migrate /etc/passwd password hashes. For Trusted Mode: Use the System Administration Manager (SAM) or the System Management Homepage (SMH) to migrate from a non-SMSE Standard Mode to Trusted Mode. For SMSE Mode: Use the following command to create the shadow file. The command will then copy all encrypted passwords into the shadow file and replace the passwd file password entries with an “x”. # pwconv
Additional Identifiers
Rule ID: SV-38323r2_rule
Vulnerability ID: V-22347
Group Title: GEN001470
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000201 |
The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access. |
Controls
Number | Title |
---|---|
IA-5 (6) |
Protection Of Authenticators |