Navigate

Check: SOL-11.1-040130

Solaris 11 SPARC STIG: SOL-11.1-040130 (in versions v2 r10 through v1 r15)

Title

Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. (Cat II impact)

Discussion

Cryptographic hashes provide quick password authentication while not actually storing the password.

Check Content

Determine which cryptographic algorithms are configured. # grep ^CRYPT /etc/security/policy.conf If the command output does not include the lines: CRYPT_DEFAULT=6 CRYPT_ALGORITHMS_ALLOW=5,6 this is a finding.

Fix Text

The root role is required. Configure the system to disallow the use of UNIX encryption and enable SHA256 as the default encryption hash. # pfedit /etc/security/policy.conf Check that the lines: CRYPT_DEFAULT=6 CRYPT_ALGORITHMS_ALLOW=5,6 exist and are not commented out.

Additional Identifiers

Rule ID: SV-216333r603267_rule

Vulnerability ID: V-216333

Group Title: SRG-OS-000073

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000196	The information system, for password-based authentication, stores only cryptographically-protected passwords.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
IA-5 (1)	Password-Based Authentication