UCF STIG Viewer Logo

The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22304 GEN000595 SV-38672r1_rule DCNR-1 IAIA-1 IAIA-2 Medium
Description
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes that are more vulnerable to compromise.
STIG Date
AIX 6.1 SECURITY TECHNICAL IMPLEMENTATION GUIDE 2018-09-18

Details

Check Text ( C-36894r1_chk )
Verify no password hashes in /etc/passwd.
# cat /etc/passwd | cut -f2,2 -d":"

If there are password hashes present, this is a finding.

Verify all password hashes in /etc/security/passwd begin with {ssha256} or {ssha512}.

Procedure:
# cat /etc/passwd | cut -f2,2 -d ":"

# cat /etc/security/passwd | grep password

If any password hashes are present not beginning with {ssha256} or {ssha512}, this is a finding.
Fix Text (F-32015r1_fix)
Change the passwords for all accounts using non-compliant password hashes.

# passwd account
OR
# smitty passwd

(This requires that GEN000590 is already met.)