The password hashes stored on AIX system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-91573	AIX7-00-001134	SV-101671r1_rule		Medium

Description
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes that are more vulnerable to compromise.

STIG	Date
IBM AIX 7.x Security Technical Implementation Guide	2020-02-24

Details

Check Text ( C-90727r3_chk )
Verify that the system wide password algorithm is set to {ssha256} or {ssha512} by running the following command: # lssec -f /etc/security/login.cfg -s usw -a pwd_algorithm usw pwd_algorithm=ssha512 If the "pwd_algorithm" is not set to "ssha256" or "ssha512", this is a finding. Verify no password hashes in /etc/passwd by running the following command: # cat /etc/passwd \| cut -f2,2 -d":" ! ! ! ! * * * * If there are password hashes present, this is a finding. Verify all password hashes in "/etc/security/passwd" begin with {ssha256} or {ssha512} by running commands: # cat /etc/security/passwd \| grep password password = {ssha512}06$e58YOawe/7UhChqh$hZEWlP4040jarX1NeOujmcxd.7qerUvjW9lM9djJsDITtdjFvVpLX.r04xieOWrbH0qb0SJJ98a0tmgZBzPP.. password = {ssha512}06$Y6ztvMxKGdITxPex$B81/GDTEPt0xwp.BX1VhY9mAPaWHXdNoLI9D0T6dBExgo6r87X0etnfjxWODT73.udrbAY.F4HzaBR68lN5/.. password = {ssha512}06$iIXQQqs.mdGpC9Wu$cXSajikWYKAUacbF50FNlFgYYSgTklGf4uhXb1J/GyBGF5j5aWa4YG5Ah2uaAHv/Jmbmx.7yBm8iXz9Pz1LM.. password = {ssha512}06$3Sw24rPVdqDFFCIl$d1dZs7GYmTXnD9i270SxozIBxN0pqq/bNn0YbyKeDq0o6Y.j9qfkeH373DwkHBWgrifNcgj/K0pVyzjMg6QN.. If any password hashes are present not beginning with {ssha256} or {ssha512}, this is a finding.

Check Text ( C-90727r3_chk )

Verify that the system wide password algorithm is set to {ssha256} or {ssha512} by running the following command:

# lssec -f /etc/security/login.cfg -s usw -a pwd_algorithm
usw pwd_algorithm=ssha512

If the "pwd_algorithm" is not set to "ssha256" or "ssha512", this is a finding.

Verify no password hashes in /etc/passwd by running the following command:

# cat /etc/passwd | cut -f2,2 -d":"
!
!
!
!
*
*
*
*

If there are password hashes present, this is a finding.

Verify all password hashes in "/etc/security/passwd" begin with {ssha256} or {ssha512} by running commands:

# cat /etc/security/passwd | grep password
password = {ssha512}06$e58YOawe/7UhChqh$hZEWlP4040jarX1NeOujmcxd.7qerUvjW9lM9djJsDITtdjFvVpLX.r04xieOWrbH0qb0SJJ98a0tmgZBzPP..
password = {ssha512}06$Y6ztvMxKGdITxPex$B81/GDTEPt0xwp.BX1VhY9mAPaWHXdNoLI9D0T6dBExgo6r87X0etnfjxWODT73.udrbAY.F4HzaBR68lN5/..
password = {ssha512}06$iIXQQqs.mdGpC9Wu$cXSajikWYKAUacbF50FNlFgYYSgTklGf4uhXb1J/GyBGF5j5aWa4YG5Ah2uaAHv/Jmbmx.7yBm8iXz9Pz1LM..
password = {ssha512}06$3Sw24rPVdqDFFCIl$d1dZs7GYmTXnD9i270SxozIBxN0pqq/bNn0YbyKeDq0o6Y.j9qfkeH373DwkHBWgrifNcgj/K0pVyzjMg6QN..

If any password hashes are present not beginning with {ssha256} or {ssha512}, this is a finding.

Fix Text (F-97771r3_fix)
Set the system wide password algorithm to "ssha256" or "ssha512" by running the following command: # chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha512 Change the passwords for all accounts using non-compliant password hashes by running the following command: $ passwd [user_name]