An error occurred:

Check: GEN000595

HP-UX 11.31 STIG: GEN000595 (in versions v1 r19 through v1 r13)

Title

The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm. (Cat II impact)

Discussion

Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes that are more vulnerable to compromise.

Check Content

Note that in certain instances, the password field of any given password database may present as “*” or “!!”, indicating that the account is locked or disabled. For Trusted Mode: Verify that the first 3 characters in the /tcb password hashes begin with the characters “$6$” (note that double quotes are for emphasis only). # cd /tcb/files/auth && cat */* | egrep “:u_name=|:u_pwd=“ If user account password hashes begins with any characters other than “$6$”, this is a finding. For SMSE: Verify that password hashes in /etc/shadow begin with the characters “$6$” (note that double quotes are for emphasis only). # cat /etc/shadow | cut -f 2,2 -d “:” | egrep -v “^\\*|\\!\\!” If user account password hashes begins with any characters other than “$6$”, this is a finding.

Fix Text

For Trusted Mode: NOTE: There is no fix for Trusted Mode/Systems (TS). MD5 is currently used, and per vendor documentation, this algorithm will not be updated, due to TS being deprecated/replaced by SMSE. This will always result in a finding. For SMSE: Note: There may be additional package/bundle updates that must be installed to support attributes in the /etc/default/security file. Use the SAM/SMH interface (/etc/default/security file) to update the attribute. See the below example: CRYPT_ALGORITHMS_DEPRECATE=__unix__ CRYPT_DEFAULT=6 Note: Never use a text editor to modify any /var/adm/userdb database file. The database contains checksums and other binary data, and editors (vi included) do not follow the file locking conventions that are used to control access to the database. If manually editing the /etc/default/security file, save any change(s) before exiting the editor.

Additional Identifiers

Rule ID: SV-52491r2_rule

Vulnerability ID: V-22304

Group Title: GEN000595

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000196

The information system, for password-based authentication, stores only cryptographically-protected passwords.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
IA-5 (1)

Password-Based Authentication