Navigate

Check: GEN000595

IRIX 6.5: GEN000595 (in versions v1 r1 through v1 r0.6)

Title

The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm. (Cat II impact)

Discussion

Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise.

Check Content

Determine if any password hashes stored on the system were not generated using a FIPS 140-2 approved cryptographic hashing algorithm. Procedure: # cat /etc/passwd # cat /etc/shadow If any password hashes are present not beginning with $5$ or $6$, this is a finding.

Fix Text

Update passwords for all accounts with non-compliant password hashes.

Additional Identifiers

Rule ID:

Vulnerability ID: V-22304

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000196	The information system, for password-based authentication, stores only cryptographically-protected passwords.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
IA-5 (1)	Password-Based Authentication