Check: AIX7-00-001134
IBM AIX 7.x STIG:
AIX7-00-001134
(in versions v3 r1 through v1 r1)
Title
The password hashes stored on AIX system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm. (Cat II impact)
Discussion
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes that are more vulnerable to compromise.
Check Content
Verify that the system wide password algorithm is set to {ssha256} or {ssha512} by running the following command: # lssec -f /etc/security/login.cfg -s usw -a pwd_algorithm usw pwd_algorithm=ssha512 If the "pwd_algorithm" is not set to "ssha256" or "ssha512", this is a finding. Verify no password hashes in /etc/passwd by running the following command: # cat /etc/passwd | cut -f2,2 -d":" ! ! ! ! * * * * If there are password hashes present, this is a finding. Verify all password hashes in "/etc/security/passwd" begin with {ssha256} or {ssha512} by running commands: # cat /etc/security/passwd | grep password password = {ssha512}06$e58YOawe/7UhChqh$hZEWlP4040jarX1NeOujmcxd.7qerUvjW9lM9djJsDITtdjFvVpLX.r04xieOWrbH0qb0SJJ98a0tmgZBzPP.. password = {ssha512}06$Y6ztvMxKGdITxPex$B81/GDTEPt0xwp.BX1VhY9mAPaWHXdNoLI9D0T6dBExgo6r87X0etnfjxWODT73.udrbAY.F4HzaBR68lN5/.. password = {ssha512}06$iIXQQqs.mdGpC9Wu$cXSajikWYKAUacbF50FNlFgYYSgTklGf4uhXb1J/GyBGF5j5aWa4YG5Ah2uaAHv/Jmbmx.7yBm8iXz9Pz1LM.. password = {ssha512}06$3Sw24rPVdqDFFCIl$d1dZs7GYmTXnD9i270SxozIBxN0pqq/bNn0YbyKeDq0o6Y.j9qfkeH373DwkHBWgrifNcgj/K0pVyzjMg6QN.. If any password hashes are present not beginning with {ssha256} or {ssha512}, this is a finding.
Fix Text
Set the system wide password algorithm to "ssha256" or "ssha512" by running the following command: # chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha512 Change the passwords for all accounts using non-compliant password hashes by running the following command: $ passwd [user_name]
Additional Identifiers
Rule ID: SV-215230r991589_rule
Vulnerability ID: V-215230
Group Title: SRG-OS-000480-GPOS-00227
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
Implement the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |