AAA Services must be configured to encrypt locally stored credentials using a FIPS-validated cryptographic module.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-80953	SRG-APP-000171-AAA-000510	SV-95663r1_rule		High

Description
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. AAA Services must enforce cryptographic representations of passwords when storing passwords in databases, configuration files, and log files. Passwords must be protected at all times; using a strong one-way hashing encryption algorithm with a salt is the standard method for providing a means to validate a password without having to store the actual password. Performance and time required to access are factors that must be considered, and the one-way hash is the most feasible means of securing the password and providing an acceptable measure of password security. If passwords are stored in clear text, they can be plainly read and easily compromised.

Description

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. AAA Services must enforce cryptographic representations of passwords when storing passwords in databases, configuration files, and log files. Passwords must be protected at all times; using a strong one-way hashing encryption algorithm with a salt is the standard method for providing a means to validate a password without having to store the actual password. Performance and time required to access are factors that must be considered, and the one-way hash is the most feasible means of securing the password and providing an acceptable measure of password security. If passwords are stored in clear text, they can be plainly read and easily compromised.

STIG	Date
Authentication, Authorization, and Accounting Services (AAA) Security Requirements Guide	2019-12-12

Details

Check Text ( C-80691r2_chk )
Where passwords are used, verify AAA Services are configured to encrypt locally stored credentials using a FIPS-validated cryptographic module. AAA Services may leverage the capability of an operating system or purpose-built module for this purpose. Confirm that databases, configuration files, and log files have encrypted representations for all passwords, and that no password strings are readable/discernable. Potential locations include the local file system where configurations and events are stored, or in a related database table. Review AAA Services configuration for use of the MD5 algorithm to create password hashes. If AAA Services are not configured to encrypt locally stored credentials using a FIPS-validated cryptographic module, this is a finding. If AAA Services are configured to use MD5 to create password hashes, this is a finding. Note: FIPS-validated cryptographic modules are listed on the NIST Cryptographic Module Validation Program's (CMVP) validation list.

Check Text ( C-80691r2_chk )

Where passwords are used, verify AAA Services are configured to encrypt locally stored credentials using a FIPS-validated cryptographic module. AAA Services may leverage the capability of an operating system or purpose-built module for this purpose.

Confirm that databases, configuration files, and log files have encrypted representations for all passwords, and that no password strings are readable/discernable. Potential locations include the local file system where configurations and events are stored, or in a related database table.

Review AAA Services configuration for use of the MD5 algorithm to create password hashes.

If AAA Services are not configured to encrypt locally stored credentials using a FIPS-validated cryptographic module, this is a finding.

If AAA Services are configured to use MD5 to create password hashes, this is a finding.

Note: FIPS-validated cryptographic modules are listed on the NIST Cryptographic Module Validation Program's (CMVP) validation list.

Fix Text (F-87809r2_fix)
Configure AAA Services to encrypt locally stored credentials using a FIPS-validated cryptographic module. Configure all associated databases, configuration files, and audit files to use only encrypted representations for all passwords and so that no password strings are readable/discernable.