The system must enforce the correctness of the entire password during authentication.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22302	GEN000585	SV-52487r1_rule	IAIA-1 IAIA-2	Medium

Description
Some common password hashing schemes only process the first eight characters of a user's password, which reduces the effective strength of the password.

STIG	Date
HP-UX 11.31 Security Technical Implementation Guide	2018-09-14

Details

Check Text ( C-47033r1_chk )
Note that in certain instances, the password field of any given password database may present as “” or “!!”, indicating that the account is locked or disabled. For Trusted Mode: Verify that password hashes in /tcb do not begin with a character other than a dollar sign ($). # cd /tcb/files/auth && cat /* \| egrep “:u_name=\|:u_pwd=“ If user account password hashes begins with any character other than a dollar sign ($), this is a finding. For SMSE: Verify that password hashes in /etc/shadow do not begin with a character other than a dollar sign ($). # cat /etc/shadow \| cut -f 2,2 -d “:” \| egrep -v “^\\$\|\\*\|\\!\\!” If any password hash without a leading dollar sign is returned by the above command, this is a finding.

Check Text ( C-47033r1_chk )

Note that in certain instances, the password field of any given password database may present as “*” or “!!”, indicating that the account is locked or disabled.

For Trusted Mode:
Verify that password hashes in /tcb do not begin with a character other than a dollar sign ($).
# cd /tcb/files/auth && cat */* | egrep “:u_name=|:u_pwd=“

If user account password hashes begins with any character other than a dollar sign ($), this is a finding.

For SMSE:
Verify that password hashes in /etc/shadow do not begin with a character other than a dollar sign ($).
# cat /etc/shadow | cut -f 2,2 -d “:” | egrep -v “^\\$|\\*|\\!\\!”

If any password hash without a leading dollar sign is returned by the above command, this is a finding.

Fix Text (F-45446r1_fix)
For Trusted Mode: NOTE: There is no fix for Trusted Mode/Systems (TS). MD5 is currently used, and per vendor documentation, this algorithm will not be updated, due to TS being deprecated for HP-UX 11i-v3 (11.31). For SMSE: Note: There may be additional package/bundle updates that must be installed to support attributes in the /etc/default/security file. Use the SAM/SMH interface (/etc/default/security file) to update the attribute. See the below example: CRYPT_ALGORITHMS_DEPRECATE=__unix__ CRYPT_DEFAULT=6 Note: Never use a text editor to modify any /var/adm/userdb database file. The database contains checksums and other binary data, and editors (vi included) do not follow the file locking conventions that are used to control access to the database. If manually editing the /etc/default/security file, save any change(s) before exiting the editor.

Fix Text (F-45446r1_fix)

For Trusted Mode:
NOTE: There is no fix for Trusted Mode/Systems (TS). MD5 is currently used, and per vendor documentation, this algorithm will not be updated, due to TS being deprecated for HP-UX 11i-v3 (11.31).

For SMSE:
Note: There may be additional package/bundle updates that must be installed to support attributes in the /etc/default/security file.

Use the SAM/SMH interface (/etc/default/security file) to update the attribute. See the below example:
CRYPT_ALGORITHMS_DEPRECATE=__unix__
CRYPT_DEFAULT=6

Note: Never use a text editor to modify any /var/adm/userdb database file. The database contains checksums and other binary data, and editors (vi included) do not follow the file locking conventions that are used to control access to the database.
If manually editing the /etc/default/security file, save any change(s) before exiting the editor.