Check: SOL-11.1-040130
Solaris 11 X86 STIG:
SOL-11.1-040130
(in versions v3 r2 through v3 r1)
Title
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. (Cat II impact)
Discussion
Cryptographic hashes provide quick password authentication while not actually storing the password.
Check Content
Determine which cryptographic algorithms are configured. # grep ^CRYPT /etc/security/policy.conf If the command output does not include the lines below, this is a finding. CRYPT_DEFAULT=6 CRYPT_ALGORITHMS_ALLOW=5,6
Fix Text
The root role is required. Configure the system to disallow the use of UNIX encryption and enable SHA256 as the default encryption hash. # pfedit /etc/security/policy.conf Check that the following lines exist and are not commented out: CRYPT_DEFAULT=6 CRYPT_ALGORITHMS_ALLOW=5,6
Additional Identifiers
Rule ID: SV-216098r1016291_rule
Vulnerability ID: V-216098
Group Title: SRG-OS-000073
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000196 |
The information system, for password-based authentication, stores only cryptographically-protected passwords. |
| CCI-004062 |
For password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash. |
Controls
| Number | Title |
|---|---|
| IA-5(1) |
Password-based Authentication |