UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22303 GEN000590 SV-52489r2_rule DCNR-1 IAIA-1 IAIA-2 Medium
Description
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes that are more vulnerable to compromise.
STIG Date
HP-UX 11.23 Security Technical Implementation Guide 2015-06-12

Details

Check Text ( C-47035r2_chk )
For Trusted Mode:
MD5 is currently the only available hashing function. Per vendor documentation, this algorithm will not be updated, due to TS being deprecated/replaced by SMSE.

For SMSE:
Check the system password for use of cryptographic hashes using the SHA-2 family of algorithms or FIPS 140-2 approved successors.
# egrep “CRYPT_ALGORITHMS_DEPRECATE|CRYPT_DEFAULT” /etc/default/security

The following is an example output from the above command:
CRYPT_ALGORITHMS_DEPRECATE=__unix__
CRYPT_DEFAULT=6

If the attributes CRYPT_ALGORITHMS_DEPRECATE, and CRYPT_DEFAULT are not set per the above example output, this is a finding.
Fix Text (F-45448r1_fix)
For Trusted Mode:
NOTE: There is no fix for Trusted Mode/Systems (TS). MD5 is currently used, and per vendor documentation, this algorithm will not be updated, due to TS being deprecated/replaced by SMSE.

For SMSE:
Note: There may be additional package/bundle updates that must be installed to support attributes in the /etc/default/security file.

Use the SAM/SMH interface (/etc/default/security file) to update the attribute. See the below example:
CRYPT_ALGORITHMS_DEPRECATE=__unix__
CRYPT_DEFAULT=6

Note: Never use a text editor to modify any /var/adm/userdb database file. The database contains checksums and other binary data, and editors (vi included) do not follow the file locking conventions that are used to control access to the database.

If manually editing the /etc/default/security file, save any change(s) before exiting the editor.