Title

The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm. (Cat II impact)

Discussion

Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise.

Check Content

Determine if any password hashes stored on the system were not generated using a FIPS 140-2 approved cryptographic hashing algorithm. Generally, a hash prefix of $5$ or $6$ indicates approved hashes. Consult OS documentation to determine the actual prefixes or other methods used by the OS to indicate approved hash algorithms. Procedure: # cut -d ':' -f2 /etc/passwd # cut -d ':' -f2 /etc/shadow If any password hashes are present not beginning with $5$ or $6$, or have other indications of the use of approved hash algorithms consistent with vendor documentation, this is a finding.

Fix Text

Replace password hashes with those created using a FIPS 140-2 approved cryptographic hashing algorithm.

Additional Identifiers

Rule ID: SV-25951r1_rule

Vulnerability ID: V-22304

Group Title: GEN000595

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.