The system must use a FIPS 140-2-approved cryptographic hashing algorithm for generating account password hashes.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22303	GEN000590	SV-52489r3_rule		Medium

Description
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2-approved successors. The use of unapproved algorithms may result in weak password hashes that are more vulnerable to compromise.

STIG	Date
HP-UX 11.31 Security Technical Implementation Guide	2018-09-14

Details

Check Text ( C-47035r3_chk )
For Trusted Mode: MD5 is currently the only available hashing function. Per vendor documentation, this algorithm will not be updated, due to TS being deprecated/replaced by SMSE. For SMSE: Check the system password for use of cryptographic hashes using the SHA-2 family of algorithms or FIPS 140-2-approved successors. # egrep “CRYPT_ALGORITHMS_DEPRECATE\|CRYPT_DEFAULT” /etc/default/security The following is an example output from the above command: CRYPT_ALGORITHMS_DEPRECATE=__unix__ CRYPT_DEFAULT=6 If the attributes “CRYPT_ALGORITHMS_DEPRECATE” and “CRYPT_DEFAULT” are not set per the above example output, this is a finding.

Check Text ( C-47035r3_chk )

For Trusted Mode:
MD5 is currently the only available hashing function. Per vendor documentation, this algorithm will not be updated, due to TS being deprecated/replaced by SMSE.

For SMSE:
Check the system password for use of cryptographic hashes using the SHA-2 family of algorithms or FIPS 140-2-approved successors.

# egrep “CRYPT_ALGORITHMS_DEPRECATE|CRYPT_DEFAULT” /etc/default/security

The following is an example output from the above command:
CRYPT_ALGORITHMS_DEPRECATE=__unix__
CRYPT_DEFAULT=6

If the attributes “CRYPT_ALGORITHMS_DEPRECATE” and “CRYPT_DEFAULT” are not set per the above example output, this is a finding.

Fix Text (F-45448r2_fix)
For Trusted Mode: Note: There is no fix for Trusted Mode/Systems (TS). MD5 is currently used, and per vendor documentation, this algorithm will not be updated due to TS being deprecated/replaced by SMSE. For SMSE: Note: There may be additional package/bundle updates that must be installed to support attributes in the /etc/default/security file. Use the SAM/SMH interface (/etc/default/security file) to update the attribute. See the below example: CRYPT_ALGORITHMS_DEPRECATE=__unix__ CRYPT_DEFAULT=6 If manually editing the /etc/default/security file, save any change(s) before exiting the editor.

Fix Text (F-45448r2_fix)

For Trusted Mode:
Note: There is no fix for Trusted Mode/Systems (TS). MD5 is currently used, and per vendor documentation, this algorithm will not be updated due to TS being deprecated/replaced by SMSE.

For SMSE:
Note: There may be additional package/bundle updates that must be installed to support attributes in the /etc/default/security file.

Use the SAM/SMH interface (/etc/default/security file) to update the attribute. See the below example:
CRYPT_ALGORITHMS_DEPRECATE=__unix__
CRYPT_DEFAULT=6

If manually editing the /etc/default/security file, save any change(s) before exiting the editor.