Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-22304 | GEN000595 | SV-38672r1_rule | DCNR-1 IAIA-1 IAIA-2 | Medium |
Description |
---|
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes that are more vulnerable to compromise. |
STIG | Date |
---|---|
AIX 5.3 Security Technical Implementation Guide | 2012-05-25 |
Check Text ( C-36894r1_chk ) |
---|
Verify no password hashes in /etc/passwd. # cat /etc/passwd | cut -f2,2 -d":" If there are password hashes present, this is a finding. Verify all password hashes in /etc/security/passwd begin with {ssha256} or {ssha512}. Procedure: # cat /etc/passwd | cut -f2,2 -d ":" # cat /etc/security/passwd | grep password If any password hashes are present not beginning with {ssha256} or {ssha512}, this is a finding. |
Fix Text (F-32015r1_fix) |
---|
Change the passwords for all accounts using non-compliant password hashes. # passwd account OR # smitty passwd (This requires that GEN000590 is already met.) |