Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-22303 | GEN000590 | SV-38938r1_rule | DCNR-1 IAIA-1 IAIA-2 | Medium |
Description |
---|
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes that are more vulnerable to compromise. |
STIG | Date |
---|---|
AIX 5.3 Security Technical Implementation Guide | 2012-05-25 |
Check Text ( C-40623r1_chk ) |
---|
Determine if the system creates password hashes using a FIPS 140-2 approved cryptographic hashing algorithm by verifying the value of pwd_algorithm in /etc/security/login.cfg. # grep pwd_algorithm /etc/security/login.cfg If the system is not configured to generate password hashes using a FIPS 140-2 approved algorithm, such as SHA256 or a successor, this is a finding. |
Fix Text (F-32002r1_fix) |
---|
Configure the system to use a FIPS 140-2 approved cryptographic hash algorithm for creating password hashes. # chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha256 |