Title

Samba must be configured to use encrypted passwords. (Cat II impact)

Discussion

Samba must be configured to protect authenticators. If Samba passwords are not encrypted for storage, plain-text user passwords may be read by those with access to the Samba password file.

Check Content

Check the encryption setting of the Samba configuration. Default locations for this file include /etc, /etc/sfw, /etc/samba, and /etc/sfw/samba. If the system has Samba installed in non-standard locations, also check the smb.conf in those locations. Procedure: # grep -i 'encrypt passwords' /etc/smb.conf /etc/sfw/smb.conf /etc/samba/smb.conf /etc/sfw/samba/smb.conf If the setting is not present, or not set to yes, this is a finding.

Fix Text

Edit the smb.conf file and change the encrypt passwords setting to yes.

Additional Identifiers

Rule ID: SV-26831r2_rule

Vulnerability ID: V-22500

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.