The password hashes stored on the system must have been generated using a FIPS 140-2 approved cryptographic hashing algorithm.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-226460 | GEN000595 | SV-226460r603265_rule | Medium |
| Description |
|---|
| Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors. The use of unapproved algorithms may result in weak password hashes more vulnerable to compromise. |
| STIG | Date |
|---|---|
| Solaris 10 SPARC Security Technical Implementation Guide | 2020-12-04 |
Details
| Check Text ( C-36381r602746_chk ) |
|---|
| Determine if any password hashes stored on the system were not generated using a FIPS 140-2 approved cryptographic hashing algorithm. Procedure: # cut -d ':' -f2 /etc/passwd # cut -d ':' -f2 /etc/shadow If any password hashes are present not beginning with $5$ or $6$, this is a finding. Verify that FIPS 140-2 approved cryptographic hashing algorithms are available. # egrep '^[56]' /etc/security/crypt.conf If no lines are returned, this is a finding. |
| Fix Text (F-36345r602747_fix) |
|---|
| If the /etc/security/crypt.conf file does not support FIPS 140-2 approved cryptographic hashing algorithms, upgrade to at least the Solaris 10 8/07 release. Edit the /etc/security/policy.conf file. # vi /etc/security/policy.conf Uncomment or add the CRYPT_ALGORITHMS_ALLOW line and set it to "5,6". Update the CRYPT_DEFAULT default line to be equal to 5 or 6. The following lines are acceptable. CRYPT_ALGORITHMS_ALLOW=5,6 CRYPT_DEFAULT=6 Update passwords for all accounts with non-compliant password hashes. |