An error occurred:

Check: GEN000590

SUSE Linux Enterprise Server v11 for System z STIG: GEN000590 (in versions v1 r12 through v1 r9)

Title

The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes. (Cat II impact)

Discussion

Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise.

Check Content

Check the /etc/default/passwd file for the CRYPT_FILES variable setting. Procedure: # grep -v '^#' /etc/default/passwd | grep -i crypt_files CRYPT_FILES must be set to SHA256 or SHA512. If it is not set, or it is set to some other value this is a finding.

Fix Text

Edit the /etc/default/passwd file and add or change the CRYPT_FILES variable setting so that it contains: CRYPT_FILES=sha256 OR CRYPT_FILES=sha512 In SLES 11 SP2 this option can also be configured with the YaST ‘Security and Users’ module. Run the ‘Security Center and Hardening’ application, then select ‘Password Settings’. Use the ‘Password Encryption Method’ drop-down to select either ‘SHA-256’ or ‘SHA-512’.

Additional Identifiers

Rule ID: SV-44864r1_rule

Vulnerability ID: V-22303

Group Title: GEN000590

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000803

The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
IA-7

Cryptographic Module Authentication