Title

The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes. (Cat II impact)

Discussion

Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise.

Check Content

Verify the traditional UNIX crypt algorithm is deprecated. # egrep CRYPT_ALGORITHMS_ALLOW /etc/security/policy.conf If CRYPT_ALGORITHMS_ALLOW is not set, is not set to "6", or is not set to "5,6", this is a finding. Verify new password hashes are generated using either the SHA-256 or SHA-512 cryptographic hashing algorithm. # egrep CRYPT_DEFAULT /etc/security/policy.conf If CRYPT_DEFAULT is not set or is not equal to 5 or 6, this is a finding.

Fix Text

Edit the /etc/security/policy.conf file. # vi /etc/security/policy.conf Uncomment or add the CRYPT_ALGORITHMS_ALLOW line and set it to "5,6". Update the CRYPT_DEFAULT default line to be equal to 5 or 6. The following lines are acceptable. CRYPT_ALGORITHMS_ALLOW=5,6 CRYPT_DEFAULT=6

Additional Identifiers

Rule ID: SV-226459r603265_rule

Vulnerability ID: V-226459

Group Title: SRG-OS-000120

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.