Navigate

Check: GEN000595

SUSE Linux Enterprise Server v11 for System z STIG: GEN000595 (in versions v1 r12 through v1 r9)

Title

The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm. (Cat II impact)

Discussion

Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise.

Check Content

Check all password hashes in /etc/passwd or /etc/shadow begin with '$5$' or '$6$'. Procedure: # cut -d ':' -f2 /etc/passwd # cut -d ':' -f2 /etc/shadow Any password hashes present not beginning with '$5$' or '$6$', is a finding.

Fix Text

Change the passwords for all accounts using non-compliant password hashes. (This requires GEN000590 is already met.)

Additional Identifiers

Rule ID: SV-44865r1_rule

Vulnerability ID: V-22304

Group Title: GEN000595

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000196	The information system, for password-based authentication, stores only cryptographically-protected passwords.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
IA-5 (1)	Password-Based Authentication