The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-22303 | GEN000590 | SV-40776r1_rule | DCNR-1 IAIA-1 IAIA-2 | Medium |
| Description |
|---|
| Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise. |
| STIG | Date |
|---|---|
| Solaris 10 SPARC Security Technical Implementation Guide | 2014-04-04 |
Details
| Check Text ( C-39521r2_chk ) |
|---|
| Verify the traditional UNIX crypt algorithm is deprecated. # egrep CRYPT_ALGORITHMS_DEPRECATE /etc/security/policy.conf If CRYPT_ALGORITHMS_DEPRECATE is not set or does not include "__unix__", this is a finding. Verify new password hashes are generated using either the SHA-256 or SHA-512 cryptographic hashing algorithm. # egrep CRYPT_DEFAULT /etc/security/policy.conf If CRYPT_DEFAULT is not set or is not equal to 5 or 6, this is a finding. |
| Fix Text (F-34635r1_fix) |
|---|
| Edit the /etc/security/policy.conf file. # vi /etc/security/policy.conf Uncomment the CRYPT_ALGORITHMS_DEPRECATE line and set it to "__unix__". Update the CRYPT_DEFAULT default line to be equal to 5 or 6. The following lines are acceptable. CRYPT_ALGORITHMS_DEPRECATE=__unix__ CRYPT_DEFAULT=6 |