An error occurred:

Check: AIX7-00-001134

IBM AIX 7.x STIG: AIX7-00-001134 (in versions v2 r9 through v1 r1)

Title

The password hashes stored on AIX system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm. (Cat II impact)

Discussion

Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes that are more vulnerable to compromise.

Check Content

Verify that the system wide password algorithm is set to {ssha256} or {ssha512} by running the following command: # lssec -f /etc/security/login.cfg -s usw -a pwd_algorithm usw pwd_algorithm=ssha512 If the "pwd_algorithm" is not set to "ssha256" or "ssha512", this is a finding. Verify no password hashes in /etc/passwd by running the following command: # cat /etc/passwd | cut -f2,2 -d":" ! ! ! ! * * * * If there are password hashes present, this is a finding. Verify all password hashes in "/etc/security/passwd" begin with {ssha256} or {ssha512} by running commands: # cat /etc/security/passwd | grep password password = {ssha512}06$e58YOawe/7UhChqh$hZEWlP4040jarX1NeOujmcxd.7qerUvjW9lM9djJsDITtdjFvVpLX.r04xieOWrbH0qb0SJJ98a0tmgZBzPP.. password = {ssha512}06$Y6ztvMxKGdITxPex$B81/GDTEPt0xwp.BX1VhY9mAPaWHXdNoLI9D0T6dBExgo6r87X0etnfjxWODT73.udrbAY.F4HzaBR68lN5/.. password = {ssha512}06$iIXQQqs.mdGpC9Wu$cXSajikWYKAUacbF50FNlFgYYSgTklGf4uhXb1J/GyBGF5j5aWa4YG5Ah2uaAHv/Jmbmx.7yBm8iXz9Pz1LM.. password = {ssha512}06$3Sw24rPVdqDFFCIl$d1dZs7GYmTXnD9i270SxozIBxN0pqq/bNn0YbyKeDq0o6Y.j9qfkeH373DwkHBWgrifNcgj/K0pVyzjMg6QN.. If any password hashes are present not beginning with {ssha256} or {ssha512}, this is a finding.

Fix Text

Set the system wide password algorithm to "ssha256" or "ssha512" by running the following command: # chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha512 Change the passwords for all accounts using non-compliant password hashes by running the following command: $ passwd [user_name]

Additional Identifiers

Rule ID: SV-215230r508663_rule

Vulnerability ID: V-215230

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

The organization implements the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings